UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

UID(0) must be properly assigned.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6991 ZUSS0046 SV-7294r3_rule High
Description
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.
STIG Date
z/OS RACF STIG 2019-09-27

Details

Check Text ( C-20023r2_chk )
a) Refer to the following report produced by the ACP Data Collection:

ACF2
- ACF2CMDS.RPT(OMVSUSER)
RACF
- RACFCMDS.RPT(LISTUSER)
TSS
- TSSCMDS.RPT(OMVSUSER)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the z/OS Data Collection:

- PDI(ZUSS0046)

b) If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, there is NO FINDING.

c) If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, there is NO FINDING.

NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.

d) If UID(0) is assigned to non-systems or non-maintenance accounts, this is a FINDING.
Fix Text (F-18965r1_fix)
The systems programmer will verify that UID(0) is defined as specified below:
UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons.

UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components..

NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.