The user account for the z/OS UNIX SUPERSUSER userid must be properly defined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6988	ZUSS0044	SV-87465r1_rule		Medium

Description
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-72947r4_chk )
Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default). From a command input screen enter: LISTUSER (superuser userid) TSO CICS OMVS Alternately, - RACFCMDS.RPT(LISTUSER) If the SUPERUSER userid is defined as follows, this is not a finding: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Check Text ( C-72947r4_chk )

Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.)

Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default).

From a command input screen enter:
LISTUSER (superuser userid) TSO CICS OMVS
Alternately,
- RACFCMDS.RPT(LISTUSER)

If the SUPERUSER userid is defined as follows, this is not a finding:

- No access to interactive on-line facilities (e.g., TSO, CICS, etc.)
- Default group specified as OMVSGRP or STCOMVS
- UID(0)
- HOME directory specified as “/”
- Shell program specified as “/bin/sh”

Fix Text (F-79253r3_fix)
Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”