Title

The user account for the z/OS UNIX (RMFGAT) must be properly defined. (Cat II impact)

Discussion

User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

Check Content

RMFGAT is the userid for the Resource Measurement Facility (RMF) Monitor III Gatherer. If RMFGAT is not define, this is not applicable. From a command input screen enter: SET LID LIST RMFGAT If the RMFGAT is defined as follows, this is not a FINDING: - Default group specified as OMVSGRP or STCOMVS From a command input screen enter: SET PROFILE(USER) DIVISION(OMVS) SET VERBOSE LIST RMFGAT If RMFGAT is defined as follows, this is not a finding: - A unique, non-zero UID - HOME directory specified as “/” - Shell program specified as “/bin/sh” Alternately, Refer to the following reports produced by the ACP Data Collection: - ACF2CMDS.RPT(OMVSUSER) - ACF2CMDS.RPT(LOGONIDS) If RMFGAT is defined as follows, this is not a finding: - Default group specified as OMVSGRP or STCOMVS - A unique, non-zero UID - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Fix Text

Define the RMFGAT user account as specified below: - Default group specified as OMVSGRP or STCOMVS - A unique, non-zero UID - HOME directory specified as “/” - Shell program specified as “/bin/sh”

Additional Identifiers

Rule ID: SV-7292r3_rule

Vulnerability ID: V-6989

Group Title: ZUSS0045

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.