Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-223691 | RACF-ES-000430 | SV-223691r877392_rule | Medium |
Description |
---|
Preventing non-privileged users from executing privileged functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. |
STIG | Date |
---|---|
IBM z/OS RACF Security Technical Implementation Guide | 2023-06-13 |
Check Text ( C-25364r514761_chk ) |
---|
From the ISPF Command Shell enter: Search all Class(Facility) MASK(ieasymup) For each entity found enter: RL facility If RACF resources are defined with a default access of NONE, this is not a finding. If RACF resource access authorizations restrict UPDATE and/or greater access to appropriate personnel (i.e., DASD administrators, Tape Library personnel, and system programming personnel), this is not a finding. If RACF resource logging requirements are specified for UPDATE and/or greater access, this is not a finding. |
Fix Text (F-25352r514762_fix) |
---|
Ensure that the System level symbolic resources are defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed. Limit access to the IEASYMUP resources to above personnel with UPDATE and/or greater access. The following commands are provided as a sample for implementing resource controls: rdef facility ieasymup.* uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') rdef facility ieasymup.symbolname uacc(none) owner(admin) - audit(all(read)) - data('protected per acp00350') pe ieasymup.symbolname cl(facility) id( |