UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and audited.


Overview

Finding ID Version Rule ID IA Controls Severity
V-259734 ZSEC-00-000160 SV-259734r943255_rule Medium
Description
Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091
STIG Date
IBM zSecure Suite Security Technical Implementation Guide 2024-01-18

Details

Check Text ( C-63473r943255_chk )
If this is not a RACF system, the presence of CKGRACF is not applicable.

Verify the access and log settings of the profiles that protect the use of the CKFCOLL and CKGRACF programs and the APF-authorized version of the CKRCARLA program.

If the CKF.** and CKG.** profiles that protect the use of the CKFCOLL, CKGRACF, and CKRCARLA programs allow general access (UACC, ID(*), WARNING, or global access) or do not log successful READ access, this is a finding.

If READ or higher access to profile(s) protecting CKF.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized), batch jobs performing ESM maintenance, auditors, or systems programmers, this is a finding.

If READ or higher access to profile(s) protecting CKG.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized) or batch jobs performing ESM maintenance, this is a finding.

Review auditing of the profile protecting the CKR.CKRCARLA.APF resource in XFACILIT class.

If successful READs are not audited, this is a finding.
Fix Text (F-63380r943235_fix)
If this is not a RACF system, the presence of CKGRACF is not applicable.

Ensure READ access to zSecure functional resources is restricted to the appropriate staff members.

READ access can be given to auditors, security administrators (domain level and decentralized), security batch jobs that perform ESM maintenance, and trusted STC users.

The following commands are provided as a sample for implementing zSecure functional resource controls:

rdef xfacilit resource_profile_protecting_zSecure_CKF_ resource uacc(none) owner(zSecure owner)
pe resource_profile_protecting_zSecure_CKF_ resource class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)

rdef xfacilit CKG.CMD.** uacc(none) owner(zSecure owner)
pe CKG.CMD.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKG.RAC.** uacc(none) owner(zSecure owner)
pe CKG.RAC.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKG.SCHEDULE.** uacc(none) owner(zSecure owner)
pe CKG.SCHEDULE.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKG.SCP.** uacc(none) owner(zSecure owner)
pe CKG.SCP.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKG.UCAT.** uacc(none) owner(zSecure owner)
pe CKG.UCAT.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKG.USRDATA.** uacc(none) owner(zSecure owner)
pe CKG.USRDATA.** class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKNADMIN.TONODE. uacc(none) owner(zSecure owner)
pe CKNADMIN.TONODE. class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)

rdef xfacilit CKNADMIN.FROMNODE. uacc(none) owner(zSecure owner)
pe CKNADMIN.FROMNODE. class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)

rdef xfacilit CKNDSN....ACTIVE uacc(none) owner(zSecure owner)
rdef xfacilit CKNDSN....BACKUP uacc(none) owner(zSecure owner)
rdef xfacilit CKNDSN....MANAGED uacc(none) owner(zSecure owner)
rdef xfacilit CKNDSN....PRIMARY uacc(none) owner(zSecure owner)
pe CKNDSN....ACTIVE class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
pe CKNDSN....BACKUP class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
pe CKNDSN....MANAGED class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
pe CKNDSN....PRIMARY class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, SECDAUDT, TSTCAUDT) access(READ)
pe CKNDSN....ACTIVE class(xfacilit) id(AUDTAUDT) access(UPDATE)
pe CKNDSN....BACKUP class(xfacilit) id(AUDTAUDT) access(UPDATE)
pe CKNDSN....MANAGED class(xfacilit) id(AUDTAUDT) access(UPDATE)
pe CKNDSN....PRIMARY class(xfacilit) id(AUDTAUDT) access(UPDATE)

rdef xfacilit CKNDSN....CKRCMD uacc(none) owner(zSecure owner)
pe CKNDSN....CKRCMD class(xfacilit) id(SECAAUDT, SECBAUDT, SECDAUDT) access(READ)

rdef xfacilit CKR.READALL uacc(none) owner(zSecure owner)
pe CKR.READALL class(xfacilit) id(SYSPAUDT, SECAAUDT, SECBAUDT, TSTCAUDT) access(READ)

rdef xfacilit CKR.CKRCARLA.APF uacc(none) owner(zSecure owner)
pe CKR.CKRCARLA.APF class(xfacilit) id(SYSPAUDT, SECBAUDT) access(READ)

rdef xfacilit C2X.ICH* uacc(none) owner(zSecure owner)
pe C2X.ICH* class(xfacilit) id(AUTOAUDT, TSTCAUDT) access(UPDATE)

rdef xfacilit C2R.SERVER.ADMIN uacc(none) owner(zSecure owner)
pe C2R.SERVER.ADMIN class(xfacilit) id(SECAAUDT) access(READ)

rdef xfacilit C2R.CLIENT.SETROPTS uacc(none) owner(zSecure owner)
pe C2R.CLIENT.SETROPTS class(xfacilit) id(AUDTAUDT, SYSPAUDT, SECAAUDT) access(READ)