zSecure must prevent nonprivileged users from executing privileged zSecure functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259733	ZSEC-00-000140	SV-259733r943233_rule		Medium

Description
Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Description

Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63472r943231_chk )
If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN.* CKG. CKR. C2R. (if you use zSecure Visual) C2X. If a minimum of all failed access is logged, this is not a finding.

Check Text ( C-63472r943231_chk )

If READ access to zSecure functional resources is not restricted to privileged users, this is a finding.
If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding.

CKF.**
CKN*.**
CKG.**
CKR.**
C2R.** (if you use zSecure Visual)
C2X.**

If a minimum of all failed access is logged, this is not a finding.

Fix Text (F-63379r943232_fix)
Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN.* CKG. CKR. C2R. (if you use zSecure Visual) C2X. A minimum of all failed access must be logged. rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN.* uacc(none) owner(zSecure owner) rdef xfacilit CKG.** uacc(none) owner(zSecure owner)

Fix Text (F-63379r943232_fix)

Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode:
CKF.**
CKN*.**
CKG.**
CKR.**
C2R.** (if you use zSecure Visual)
C2X.**

A minimum of all failed access must be logged.

rdef xfacilit CKF.** uacc(none) owner(zSecure owner)
rdef xfacilit CKN*.** uacc(none) owner(zSecure owner)
rdef xfacilit CKG.** uacc(none) owner(zSecure owner)