Title

The RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE. (Cat II impact)

Discussion

The FACILITY, SURROGAT, and UNIXPRIV Class support profiles used to secure the z/OS UNIX (OMVS) environment. Without these classes being in an ACTIVE status, system integrity can be compromised.

Check Content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR060) b) If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix Text

UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles, certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users. SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP. FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment. Ensure that the required classes are active. Develop a plan of action and activate with the RACF commands: SETR CLASSACT(FACILITY SURROGAT UNIXPRIV) SETR GENERIC(FACILITY SURROGAT UNIXPRIV) SETR GENCMD(FACILITY SURROGAT UNIXPRIV) SETR RACL(FACILITY SURROGAT UNIXPRIV)

Additional Identifiers

Rule ID: SV-7301r2_rule

Vulnerability ID: V-6998

Group Title: ZUSSR060

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.