The GENERIC SETROPTS value is not enabled for ACTIVE classes.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261	RACF0320	SV-261r2_rule	DCCS-1 DCCS-2	Medium

Description
(RACF0320: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Description

(RACF0320: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-17936r1_chk )
a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0320) b) Other than the exemptions listed below for which GENERIC need not be enabled, if the classes listed as ACTIVE are also listed as GENERIC, there is NO FINDING. c) If there are ACTIVE classes not also shown as GENERIC classes and not in the list of exemptions below, this is a FINDING. EXEMPTIONS: The following are defined with GENERIC=DISALLOWED per RACF Macros and Interfaces Appendix C: CDT KERBLINK REALM SECLABEL SECLMBR The following should not use GENERICS: USER GROUP The following are listed in RACF Command Lang Ref as not being recommended for GENERICS: DIGTCERT DIGTRING The following are GROUP classes per RACF Macros and Interfaces Appendix C: BCICSPCT DIMS ECICSDCT GCICSTRN GCPSMOBJ GCSFKEYS GDASDVOL GDSNBP GDSNCL GDSNDB GDSNJR GDSNPK GDSNPN GDSNSC GDSNSG GDSNSM GDSNSP GDSNSQ GDSNTB GDSNTS GDSNUF GDSNUT GEJBROLE GIMS GINFOMAN GLOBAL GMQADMIN GMQCHAN GMQNLIST GMQPROC GMQQUEUE GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC GSDSF GSOMDOBJ GTERMINL GXFACILI HCICSFCT HIMS JIMS KCICSJCT MIMS NCICSPPT NODES ** should not be excluded. PROGRAM QCICSPSB QIMS RACFVARS SECDATA SECLABEL UCICSTST UIMS VCICSCMD VMXEVENT WCICSRES WIMS The following are reporting-only classes (PROFDEF=NO per RACF Macros and Interfaces Appendix C): DIRACC DIRAUTH DIRSRCH FSOBJ FSSEC IPCOBJ PROCACT PROCESS TEMPDSN VMMAC

Check Text ( C-17936r1_chk )

a) Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0320)

b) Other than the exemptions listed below for which GENERIC need not be enabled, if the classes listed as ACTIVE are also listed as GENERIC, there is NO FINDING.

c) If there are ACTIVE classes not also shown as GENERIC classes and not in the list of exemptions below, this is a FINDING.

EXEMPTIONS:
The following are defined with GENERIC=DISALLOWED per RACF Macros and Interfaces Appendix C:
CDT
KERBLINK
REALM
SECLABEL
SECLMBR

The following should not use GENERICS:
USER
GROUP

The following are listed in RACF Command Lang Ref as not being recommended
for GENERICS:
DIGTCERT
DIGTRING

The following are GROUP classes per RACF Macros and Interfaces Appendix C:
BCICSPCT
DIMS
ECICSDCT
GCICSTRN
GCPSMOBJ
GCSFKEYS
GDASDVOL
GDSNBP
GDSNCL
GDSNDB
GDSNJR
GDSNPK
GDSNPN
GDSNSC
GDSNSG
GDSNSM
GDSNSP
GDSNSQ
GDSNTB
GDSNTS
GDSNUF
GDSNUT
GEJBROLE
GIMS
GINFOMAN
GLOBAL
GMQADMIN
GMQCHAN
GMQNLIST
GMQPROC
GMQQUEUE
GMXADMIN
GMXNLIST
GMXPROC
GMXQUEUE
GMXTOPIC
GSDSF
GSOMDOBJ
GTERMINL
GXFACILI
HCICSFCT
HIMS
JIMS
KCICSJCT
MIMS
NCICSPPT
NODES ** should not be excluded.
PROGRAM
QCICSPSB
QIMS
RACFVARS
SECDATA
SECLABEL
UCICSTST
UIMS
VCICSCMD
VMXEVENT
WCICSRES
WIMS

The following are reporting-only classes (PROFDEF=NO per RACF Macros and
Interfaces Appendix C):
DIRACC
DIRAUTH
DIRSRCH
FSOBJ
FSSEC
IPCOBJ
PROCACT
PROCESS
TEMPDSN
VMMAC

Fix Text (F-17174r1_fix)
The IAO will ensure that GENERIC is enabled for ACTIVE classes with exceptions listed in the "Check" portion of this PDI. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GENERIC. (1) Generic Profile Command processing is activated for the required classes by the command SETR GENERIC().

Fix Text (F-17174r1_fix)

The IAO will ensure that GENERIC is enabled for ACTIVE classes with exceptions listed in the "Check" portion of this PDI.

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including a status of GENERIC.

(1) Generic Profile Command processing is activated for the required classes by the command SETR GENERIC().