Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-223714 | RACF-ES-000670 | SV-223714r604139_rule | Medium |
Description |
---|
This requirement is intended to cover both traditional interactive logons to information systems and general accesses to information systems that occur in other types of architectural configurations (e.g., service-oriented architectures). |
STIG | Date |
---|---|
IBM z/OS RACF Security Technical Implementation Guide | 2022-12-14 |
Check Text ( C-25387r571992_chk ) |
---|
From the ISPF Command Shell enter: ListUser * If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding. If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding. Otherwise, Group-OPERATIONS is allowed. |
Fix Text (F-25375r514831_fix) |
---|
Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed. A sample command to remove the OPERATIONS attribute from a userid is shown here: ALU To remove the Group-Operations attribute: CO |