Title

The IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited. (Cat II impact)

Discussion

Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091

Check Content

If this is not a RACF system, the presence of CKGRACF is not applicable. Verify the access and log settings of the profiles that protect the use of the CKFCOLL and CKGRACF programs and the APF-authorized version of the CKRCARLA program. If the CKF.** and CKG.** profiles that protect the use of the CKFCOLL, CKGRACF, and CKRCARLA programs allow general access (UACC, ID(*), WARNING, or global access) or do not log successful READ access, this is a finding. If READ or higher access to profile(s) protecting CKF.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized), batch jobs performing ESM maintenance, auditors, or systems programmers, this is a finding. If READ or higher access to profile(s) protecting CKG.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized) or batch jobs performing ESM maintenance, this is a finding. Review auditing of the profile protecting the CKR.CKRCARLA.APF resource in XFACILIT class. If successful READs are not audited, this is a finding.

Fix Text

The following commands are provided as a sample for implementing RACF zSecure user data set controls. Convert these commands for any other ESM: rdef program CKFCOLL uacc(none) owner(zSecure owner) audit(all(read)) pe CKFCOLL class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKGRACF uacc(none) owner(zSecure owner) audit(all(read)) pe CKGRACF class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKRCARLX uacc(none) owner(zSecure owner) audit(all(read)) pe CKRCARLX class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ)

Additional Identifiers

Rule ID: SV-259734r1050758_rule

Vulnerability ID: V-259734

Group Title: SRG-APP-000342-MFP-000090

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.