An error occurred:

Check: RACF0300

zOS RACF STIG: RACF0300 (in versions v6 r43 through v6 r37)

Title

The ERASE ALL SETROPTS value must be set to ERASE(ALL) on all systems. (Cat II impact)

Discussion

The ERASE ALL specifies that data management is to erase all scratched data sets including temporary data sets. NOERASE specifies that no DASD data sets are erased when deleted. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Check Content

Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0300) For all systems, if the ERASE values are set as follows, this is not a finding. ERASE-ON-SCRATCH IS ACTIVE, CURRENT OPTIONS: ERASE-ON-SCRATCH FOR ALL DATA SETS IS IN EFFECT

Fix Text

The IAO must ensure that ERASE SETROPTS value is set to ERASE(ALL) this allows DASD datasets to be erased when deleted. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: - Issue the RACF Command SETR LIST to show the status of RACF Controls including the status of the ERASE options. - Take the appropriate actions to ensure that the SETR ERASE(ALL) has been issued to enable Erase On Scratch for all datasets.

Additional Identifiers

Rule ID: SV-259r4_rule

Vulnerability ID: V-259

Group Title: RACF0300

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001090

The information system prevents unauthorized and unintended information transfer via shared system resources.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
SC-4

Information In Shared Resources