Check: RACF0310
zOS RACF STIG:
RACF0310
(in versions v6 r43 through v6 r30)
Title
The GENCMD SETROPTS value is not enabled for ACTIVE classes. (Cat II impact)
Discussion
(RACF0310: CAT II) The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.
Check Content
a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0310) b) Other than the exemptions listed below for which GENCMD need not be enabled, if the classes listed as ACTIVE are also listed as GENCMD, there is NO FINDING. c) If there are ACTIVE classes not also shown as GENCMD classes and not in the list of exemptions below, this is a FINDING. EXEMPTIONS: The following are defined with GENERIC=DISALLOWED per RACF Macros and Interfaces Appendix C: CDT KERBLINK REALM SECLABEL SECLMBR The following should not use GENERICS: USER GROUP The following are listed in RACF Command Lang Ref as not being recommended for GENERICS: DIGTCERT DIGTRING Any Class identified as a GROUP class (per RACF Macros and Interfaces Appendix C): BCICSPCT DIMS ECICSDCT GCICSTRN GCPSMOBJ GCSFKEYS GDASDVOL GDSNBP GDSNCL GDSNDB GDSNJR GDSNPK GDSNPN GDSNSC GDSNSG GDSNSM GDSNSP GDSNSQ GDSNTB GDSNTS GDSNUF GDSNUT GEJBROLE GIMS GINFOMAN GLOBAL GMQADMIN GMQCHAN GMQNLIST GMQPROC GMQQUEUE GMXADMIN GMXNLIST GMXPROC GMXQUEUE GMXTOPIC GSDSF GSOMDOBJ GTERMINL GXFACILI HCICSFCT HIMS JIMS KCICSJCT MIMS NCICSPPT NODES ** should not be excluded. PROGRAM QCICSPSB QIMS RACFVARS SECDATA SECLABEL UCICSTST UIMS VCICSCMD VMXEVENT WCICSRES WIMS The following are reporting-only classes (PROFDEF=NO per RACF Macros and Interfaces Appendix C): DIRACC DIRAUTH DIRSRCH FSOBJ FSSEC IPCOBJ PROCACT PROCESS TEMPDSN VMMAC
Fix Text
The IAO will ensure that GENCMD is enabled for ACTIVE classes with exceptions identified in the "Check" portion of this PDI. Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including a status of GENCMD. (1) Generic Profile Command processing is activated for the required classes by the command SETR GENCMD(<classname>).
Additional Identifiers
Rule ID: SV-260r2_rule
Vulnerability ID: V-260
Group Title: RACF0310
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-002358 |
The information system implements a reference monitor for organization-defined access control policies that is always invoked. |