Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-6991 | ZUSS0046 | SV-7294r2_rule | DCCS-1 DCCS-2 | High |
Description |
---|
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised. |
STIG | Date |
---|---|
z/OS RACF STIG | 2017-03-22 |
Check Text ( C-20023r1_chk ) |
---|
a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(OMVSUSER) Automated Analysis requiring additional analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0046) b) If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, there is NO FINDING. c) If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, there is NO FINDING. NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. d) If UID(0) is assigned to non-systems or non-maintenance accounts, this is a FINDING. |
Fix Text (F-18965r1_fix) |
---|
The systems programmer will verify that UID(0) is defined as specified below: UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons. UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components.. NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. |