The use of the RACF AUDITOR privilege must be justified.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-295	RACF0730	SV-295r3_rule		Medium

Description
A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.

Description

A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-19592r2_chk )
a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0730) b) Ensure the following items are in effect regarding the AUDITOR attribute: 1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Check Text ( C-19592r2_chk )

a) Refer to the following reports produced by the RACF Data Collection:

- DSMON.RPT(RACUSR)
- DSMON.RPT(RACGRP)
- RACFCMDS.RPT(LISTUSER)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the RACF Data Collection:

- PDI(RACF0730)

b) Ensure the following items are in effect regarding the AUDITOR attribute:

1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel.
2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed.

c) If both items in (b) are true, there is NO FINDING.

d) If either item in (b) is untrue, this is a FINDING.

Fix Text (F-17981r1_fix)
Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU NOAUDITOR. To remove the Group-Auditor attribute: CO GROUP() NOAUDITOR