Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6988 | ZUSS0044 | SV-7291r3_rule | Medium |
Description |
---|
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2019-03-26 |
Check Text ( C-72945r4_chk ) |
---|
Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default). From a command input screen enter: SET LID LIST LIKE (superuser userid) If the SUPERUSER userid is defined as follows, this is not a FINDING: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS From a command input screen enter: SET PROFILE(USER) DIVISION(OMVS) SET VERBOSE LIST If the SUPERUSER userid is defined as follows, this is not a FINDING: - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh” Alternately, Refer to the following reports produced by the ACP Data Collection: -ACF2CMDS.RPT(OMVSUSER) -ACF2CMDS.RPT(LOGONIDS) If SUPERUSER userid is defined as follows, this is not a finding: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh” |
Fix Text (F-79251r4_fix) |
---|
Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh” |