UCF STIG Viewer Logo

RACF users do not have the required default fields.


Overview

Finding ID Version Rule ID IA Controls Severity
V-284 RACF0570 SV-284r2_rule DCCS-1 DCCS-2 Low
Description
Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost. Every user will be identified to RACF via each user’s unique userid profile. To RACF, a user is an individual (user), a started task, or a batch job. Every userid will be fully identified within RACF with the following fields completed: NAME User’s name DFLTGRP Default group OWNER User’s profile owner PASSWORD Password RACF will automatically assign the default group as the password if a password is not explicitly coded. Assign a unique password to every userid to prevent unauthorized access by a person who knows the default group for a new userid.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-369r1_chk )
a) Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(LISTUSER)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0570)

b) If every user is fully identified with all of the following conditions:

1. A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task).
2. The presence of the DEFAULT-GROUP and OWNER fields.
3. The PASSDATE field is not set to N/A unless this user has the PROTECTED attribute.

c) If all of the above are true, there is NO FINDING.

d) If any of above is untrue, this is a FINDING.
Fix Text (F-438r1_fix)
Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability:

1. Add a NAME to a userid with the command ALU NAME('lastname, firstname').

2. Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU DFLTGRP(). You must first be connected to a group via the RACF CONNECT command before making it a default group.

3. A PASSDATE field showing 00.000 indicates that a temporary password has been assigned but the user has not logged in and set a permanent password. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The IAO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent password.