An error occurred:

Check: RACF-ES-000700

IBM z/OS RACF STIG: RACF-ES-000700 (in versions v8 r14 through v7 r2)

Title

IBM RACF users must have the required default fields. (Cat II impact)

Discussion

Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate or phrasedate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost.

Check Content

From a z/OS command screen enter: ListUser * Examine each user entry verify every user is fully identified with all of the following conditions: -A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). -The presence of the DEFAULT-GROUP and OWNER fields. -The PASSDATE field or the PHRASEDATE field accordingly is not set to N/A excluding users with the PROTECTED attribute. If all of the above are true, this is not a finding. If any of above is untrue, this is a finding.

Fix Text

Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability. -To Add a NAME to a userid with the command ALU <userid> NAME('lastname, firstname'). -Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU <userid> DFLTGRP(<newdefaultgroup>). You must first be connected to a group via the RACF CONNECT command before making it a default group. -A PASSDATE field or a PHRASEDATE field showing 00.000 indicates that a temporary password or password phrase has been assigned but the user has not logged in and set a permanent value. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The ISSO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent value.

Additional Identifiers

Rule ID: SV-223717r822576_rule

Vulnerability ID: V-223717

Group Title: SRG-OS-000104-GPOS-00051

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2

Identification And Authentication (Organizational Users)