Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-295 | RACF0730 | SV-295r2_rule | DCCS-1 DCCS-2 | Medium |
Description |
---|
A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor. |
STIG | Date |
---|---|
z/OS RACF STIG | 2017-03-22 |
Check Text ( C-19592r1_chk ) |
---|
a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requiring Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0730) b) Ensure the following items are in effect regarding the AUDITOR attribute: 1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING. |
Fix Text (F-17981r1_fix) |
---|
Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU To remove the Group-Auditor attribute: CO |