The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-6997 | ZUSSR050 | SV-7300r4_rule | Medium |
| Description |
|---|
| The RACF FACILITY Class BPX. UNIQUE.USER profile contains the userid or the userid/group ID of the default profiles to be used for a user without a z/OS UNIX profile (i.e., OMVS Segment). In classified system user access will not be determined by default. |
| STIG | Date |
|---|---|
| z/OS RACF STIG | 2019-12-12 |
Details
| Check Text ( C-3865r3_chk ) |
|---|
| If the system is not classified this is not applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - System Classification Automated Analysis: Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR050) If system is classified and a userid is are not defined in the Application Data field in the BPX.UNIQUE.USER resource in the FACILITY report, there is no finding. |
| Fix Text (F-6718r2_fix) |
|---|
| If system is classified a userid should not be defined in the application data field of the FACILITY report. The sample commands below show the required security parameters required for the default user: AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX. UNIQUE.USER APPLDATA() - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH |