The PROTECTALL SETROPTS value specified must be properly set.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-276	RACF0480	SV-276r3_rule		High

Description
When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected. Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing. PROTECTALL requires that data sets be RACF protected. In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Description

When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected. Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing. PROTECTALL requires that data sets be RACF protected. In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

STIG	Date
z/OS RACF STIG	2018-12-20

Details

Check Text ( C-18206r2_chk )
a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0480) b) If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, there is NO FINDING. c) If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a FINDING. Additional analysis may be required to determine whether this FINDING should be downgraded to a Category II or remain a Category I. Example of a Category I FINDING where no further analysis is required: Control Options: SETROPTS NOPROTECTALL Example of a possible Category I FINDING requiring additional analysis: Control Options: SETROPTS PROTECTALL(WARNING) PROTECTALL(WARNING) allows access to a data set only if it is not protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not allow unauthorized access. This situation allows for a downgrade to a Category II.

Check Text ( C-18206r2_chk )

a) Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis requires Additional Analysis.
Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0480)

b) If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, there is NO FINDING.

c) If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a FINDING.

Additional analysis may be required to determine whether this FINDING should be downgraded to a Category II or remain a Category I.

Example of a Category I FINDING where no further analysis is required:

Control Options: SETROPTS NOPROTECTALL

Example of a possible Category I FINDING requiring additional analysis:

Control Options: SETROPTS PROTECTALL(WARNING)

PROTECTALL(WARNING) allows access to a data set only if it is not protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not allow unauthorized access. This situation allows for a downgrade to a Category II.

Fix Text (F-17365r1_fix)
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. (1) PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).