UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The user account for the z/OS UNIX SUPERUSER userid must be properly defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6988 ZUSS0044 SV-87471r1_rule Medium
Description
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.
STIG Date
z/OS TSS STIG 2017-06-26

Details

Check Text ( C-72949r4_chk )
Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.)

Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default).

From a command input screen enter:
TSS LIST(superuser userid) DATA(ALL)

Alternately refer to TSS Data Collection:

- TSSCMDS.RPT(@ACIDS)

If the SUPERUSER userid is defined as follows, this is not a finding:

- No access to interactive on-line facilities (e.g., TSO, CICS, etc.)
- Default group specified as OMVSGRP or STCOMVS
- UID(0)
- HOME directory specified as “/”
- Shell program specified as “/bin/sh”
Fix Text (F-79255r5_fix)
Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below:

- No access to interactive on-line facilities (e.g., TSO, CICS, etc.)
- Default group specified as OMVSGRP or STCOMVS
- UID(0)
- HOME directory specified as “/”
- Shell program specified as “/bin/sh”