An error occurred:

Check: ZUSSR070

zOS RACF STIG: ZUSSR070 (in versions v6 r43 through v6 r30)

Title

RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command. (Cat II impact)

Discussion

RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. By not following vendor recommendations, unpredictable results could occur that compromise the integrity of the z/OS system.

Check Content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR070) b) If the SETR RACLIST CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix Text

RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles, certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users. SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP. FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment. Ensure that the required classes are RACLISTed. Develop a plan of action and RACLIST with the RACF command: SETR RACL(FACILITY SURROGAT UNIXPRIV)

Additional Identifiers

Rule ID: SV-7302r2_rule

Vulnerability ID: V-6999

Group Title: ZUSSR070

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000366

The organization implements the security configuration settings.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-6

Configuration Settings