UCF STIG Viewer Logo

IBM RACF OPERAUDIT SETROPTS value must set to OPERAUDIT.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223694 RACF-ES-000470 SV-223694r853600_rule Medium
Description
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2022-12-14

Details

Check Text ( C-25367r514770_chk )
From the ISPF Command Shell enter:
SETRopts List

If the OPERAUDIT value is listed as one of the ATTRIBUTES, this is not a finding.

If the OPERAUDIT value is not listed as one of the ATTRIBUTES, this is a finding.
Fix Text (F-25355r514771_fix)
NOTE: The RACF AUDITOR attribute is required in order to specify SETROPTS OPERAUDIT and also to display the OPERAUDIT attribute with the SETROPTS LIST command.

Configure the OPERAUDIT SETROPTS value to be set to OPERAUDIT. This specifies that RACF logs all actions such as accesses to resources and commands for a user who has operations or group operations attribute.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including a list of ATTRIBUTES.

Logging of all actions, such as accesses to resources and commands, allowed only because a user has the OPERATIONS or group-OPERATIONS attribute is activated with the command SETR OPERAUDIT.