Check: RACF0690
zOS RACF STIG:
RACF0690
(in versions v6 r43 through v6 r30)
Title
Emergency USERIDs must be properly defined. (Cat II impact)
Discussion
Emergency USERIDs are necessary in the event of a system outage for recovery purposes. It is critical that those USERIDs be defined with the appropriate access to ensure timely restoration of services.
Check Content
Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(TSOUADS) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) Refer to the list from the IAO of all emergency userids available to the site along with the associated function of each userid. At a minimum an emergency logonid will exists with the security administration attributes specified in accordance with the following requirements. If the followng guidance is not followed this is a finding. - At least one userid exists to perform RACF security administration. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. - If any userids exist to perform operating system functions, they are defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, and FULL access to all DASD volumes. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list. - All emergency userids are defined to RACF and SYS1.UADS. - All emergency logonid / logonid(s) are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute. - All emergency logonid / logonid(s) will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency logonid / logonid(s) will have documented procedures to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency logonid is released for use, its password is to be reset by the IAO within 12 hours.
Fix Text
The IAO will review the emergency USERIDs to ensure access granted only authorizes those resources required to support the specific functions of either DASD Recovery or System Administration. Ensure the following items are in effect regarding emergency userids: At a minimum an emergency userids will exists with the security administration attributes specified in accordance with the following requirements: - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - Userids can be defined to perform operating system functions. Such userids must be defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, FULL access to all DASD volumes resources as well as the FACILITY Class STGADMN profiles. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list since access lists override OPERATIONS. - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - All emergency userids are defined to RACF and SYS1.UADS. See TSO Command Ref for info on adding users to UADS. - All emergency userids are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute via the command: ALU <uid> UAUDIT - All emergency userids will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency userids will have documented procedures - such as a COOP Plan - to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency userids is released for use, its password is to be reset by the IAO within 12 hours.
Additional Identifiers
Rule ID: SV-292r2_rule
Vulnerability ID: V-292
Group Title: RACF0690
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000035 |
The information system provides the capability for privileged administrators to configure the organization-defined security policy filters to support different security policies. |
CCI-001220 |
The organization develops and documents procedures to facilitate the implementation of the system and information integrity policy and associated system integrity controls. |