UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The use of the RACF AUDITOR privilege must be justified.


Overview

Finding ID Version Rule ID IA Controls Severity
V-295 RACF0730 SV-295r3_rule Medium
Description
A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.
STIG Date
z/OS RACF STIG 2018-10-04

Details

Check Text ( C-19592r2_chk )
a) Refer to the following reports produced by the RACF Data Collection:

- DSMON.RPT(RACUSR)
- DSMON.RPT(RACGRP)
- RACFCMDS.RPT(LISTUSER)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0730)

b) Ensure the following items are in effect regarding the AUDITOR attribute:

1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel.
2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed.

c) If both items in (b) are true, there is NO FINDING.

d) If either item in (b) is untrue, this is a FINDING.
Fix Text (F-17981r1_fix)
Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed.

The AUDITOR attribute is removed from a user with the command: ALU NOAUDITOR.

To remove the Group-Auditor attribute:

CO GROUP() NOAUDITOR