Attributes of z/OS UNIX user accounts are not defined properly
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6985 | ZUSS0041 | SV-7288r2_rule | DCCS-1 DCCS-2 | Medium |
| Description |
|---|
| User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised. |
| STIG | Date |
|---|---|
| z/OS RACF STIG | 2019-12-12 |
Details
| Check Text ( C-3618r1_chk ) |
|---|
| Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSGRP) RACF - RACFCMDS.RPT(LISTGRP) TSS - TSSCMDS.RPT(OMVSUSER) Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0041) NOTE: A site can choose to have both an OMVSGRP group and an STCOMVS group or combine the groups under one of these names. Ensure that the OMVSGRP and/or STCOMVS groups are defined and have a unique GID in the range of 1-99. |
| Fix Text (F-18960r1_fix) |
|---|
| The Systems Programmer will ensure that the OMVSGRP group and / or the STCOMVS group are each defined to the security database with a unique GID in the range of 1-99. OMVSGRP is the name suggested by IBM for all the required userids. STCOMVS is the standard name used at some sites for the userids that are associated with z/OS UNIX started tasks and daemons. These groups can be combined at the site’s discretion. |