Check: RACF-ES-000050
IBM z/OS RACF STIG:
RACF-ES-000050
(in versions v8 r8 through v7 r1)
Title
IBM RACF SETROPTS LOGOPTIONS must be properly configured. (Cat II impact)
Discussion
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems may be integrated with enterprise level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000038-GPOS-00016, SRG-OS-000039-GPOS-00017, SRG-OS-000040-GPOS-00018, SRG-OS-000041-GPOS-00019, SRG-OS-000042-GPOS-00021, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000392-GPOS-00172, SRG-OS-000458-GPOS-00203, SRG-OS-000461-GPOS-00205, SRG-OS-000462-GPOS-00206, SRG-OS-000463-GPOS-00207, SRG-OS-000465-GPOS-00209, SRG-OS-000466-GPOS-00210, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000471-GPOS-00216, SRG-OS-000472-GPOS-00217, SRG-OS-000473-GPOS-00218, SRG-OS-000474-GPOS-00219, SRG-OS-000475-GPOS-00220, SRG-OS-000476-GPOS-00221, SRG-OS-000477-GPOS-00222
Check Content
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Verify that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined. If the LOGOPTIONS are not set as described above, this is a finding.
Fix Text
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: Ensure that the following LOGOPTIONS are specified: LOGOPTIONS "FAILURES" CLASSES = <all the classes listed in the “ACTIVE” class as a minimum> LOGOPTIONS "NEVER" CLASSES = NONE The other LOGOPTIONS may be site determined.
Additional Identifiers
Rule ID: SV-223653r853569_rule
Vulnerability ID: V-223653
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000131 |
Ensure that audit records containing information that establishes when the event occurred. |
| CCI-000132 |
Ensure that audit records containing information that establishes where the event occurred. |
| CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
| CCI-000134 |
Ensure that audit records containing information that establishes the outcome of the event. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |