Title

IBM RACF must define UACC of NONE on all profiles. (Cat I impact)

Discussion

The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

Check Content

Review all Dataset and resource profiles in the RACF database. If any are not defined with UACC NONE, this is a finding. There is an exception when evaluating the UACC for DIGTCERT and NODES resource classes. The universal access (UACC) for DIGTCERT profiles: For profiles in classes other than DIGTCERT, the valid values are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. For DIGTCERT profiles, the valid values are TRUST, NOTRUST, and HIGHTRST. If DIGTCERT Profiles are defined with other than UACC NONE, this is not a finding. The universal access (UACC) for NODES: A UACC of NONE fails the inbound job. If NODES profiles are defined with other than UACC NONE, this is not a finding.

Fix Text

Define each dataset and resource profile with UACC(NONE), excluding the exceptions of NODES and DIGTCERT profiles.

Additional Identifiers

Rule ID: SV-223777r1050763_rule

Vulnerability ID: V-223777

Group Title: SRG-OS-000370-GPOS-00155

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.