The user account for the z/OS UNIX BPXROOT is not properly defined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6988	ZUSS0044	SV-7291r2_rule	DCCS-1 DCCS-2	Medium

Description
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

STIG	Date
z/OS RACF STIG	2016-12-21

Details

Check Text ( C-3906r1_chk )
a) Refer to the following reports produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) - ACF2CMDS.RPT(LOGONIDS) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(@ACIDS) b) If BPXROOT is defined as follows, there is NO FINDING: 1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh” c) If BPXROOT is not defined as specified in (b) above, this is a FINDING.

Check Text ( C-3906r1_chk )

a) Refer to the following reports produced by the ACP Data Collection:

ACF2
- ACF2CMDS.RPT(OMVSUSER)
- ACF2CMDS.RPT(LOGONIDS)
RACF
- RACFCMDS.RPT(LISTUSER)
TSS
- TSSCMDS.RPT(@ACIDS)

b) If BPXROOT is defined as follows, there is NO FINDING:

1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.)
2) Default group specified as OMVSGRP or STCOMVS
3) UID(0)
4) HOME directory specified as “/”
5) Shell program specified as “/bin/sh”

c) If BPXROOT is not defined as specified in (b) above, this is a FINDING.

Fix Text (F-18963r1_fix)
The systems programmer will verify that BPXROOT is defined as specified below: ) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh”