An error occurred:

Check: ZUSS0048

zOS RACF STIG: ZUSS0048 (in versions v6 r43 through v6 r35)

Title

Attributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements. (Cat II impact)

Discussion

RACF userids that use z/OS UNIX must be properly configured. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

Check Content

If this is a classified system, this is not applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Enter: List User (<userid>) Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - RACFCMDS.RPT(LISTUSER) Note: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is not applicable. If user account used for OMVS account modeling is defined as follows, this is not a finding: A non-writable HOME directory: Shell program specified as “/bin/echo” or “/bin/false” Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Fix Text

Use of the OMVS default UID will not be allowed on any classified system. This is not an issue when using BPX.UNIQUE.USER. Define user id used for OMVS account modeling with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.” AG OEDFLTG SUPGROUP(ADMIN) OWNER(ADMIN) OMVS(GID(777777)) AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX.DEFAULT.USER APPLDATA('OEDFLTU/OEDFLTG') - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH

Additional Identifiers

Rule ID: SV-7940r5_rule

Vulnerability ID: V-7050

Group Title: ZUSS0048

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000764

The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
IA-2

Identification And Authentication (Organizational Users)