Title

The user account for the z/OS UNIX SUPERUSER userid must be properly defined. (Cat II impact)

Discussion

User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

Check Content

Refer to system PARMLIB member BPXPRMxx (xx is determined by OMVS entry in IEASYS00.) Determine the user ID identified by the SUPERUSER parameter. (BPXROOT is the default). From a command input screen enter: SET LID LIST LIKE (superuser userid) If the SUPERUSER userid is defined as follows, this is not a FINDING: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS From a command input screen enter: SET PROFILE(USER) DIVISION(OMVS) SET VERBOSE LIST <superuser userid> If the SUPERUSER userid is defined as follows, this is not a FINDING: - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh” Alternately, Refer to the following reports produced by the ACP Data Collection: -ACF2CMDS.RPT(OMVSUSER) -ACF2CMDS.RPT(LOGONIDS) If SUPERUSER userid is defined as follows, this is not a finding: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Fix Text

Define the user ID identified in the BPXPRM00 SUPERUSER parameter as specified below: - No access to interactive on-line facilities (e.g., TSO, CICS, etc.) - Default group specified as OMVSGRP or STCOMVS - UID(0) - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Additional Identifiers

Rule ID: SV-7291r3_rule

Vulnerability ID: V-6988

Group Title: ZUSS0044

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.