An error occurred:

Check: ZSEC-00-000140

IBM zSecure Suite STIG: ZSEC-00-000140 (in versions v1 r2 through v1 r1)

Title

IBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions. (Cat II impact)

Discussion

Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Check Content

If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** If a minimum of all failed access is logged, this is not a finding.

Fix Text

Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** A minimum of all failed access must be logged. The following is an example of RACF commands. Convert these commands for any other ESM: rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN*.** uacc(none) owner(zSecure owner) rdef xfacilit CKG.** uacc(none) owner(zSecure owner) rdef xfacilit CKR.** uacc(none) owner(zSecure owner) rdef xfacilit C2R.** uacc(none) owner(zSecure owner) rdef xfacilit C2X.** uacc(none) owner(zSecure owner)

Additional Identifiers

Rule ID: SV-259733r1050755_rule

Vulnerability ID: V-259733

Group Title: SRG-APP-000340-MFP-000088

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-002235

Prevent non-privileged users from executing privileged functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6(10)

Prohibit Non-privileged Users from Executing Privileged Functions