Check: RACF0570
zOS RACF STIG:
RACF0570
(in versions v6 r43 through v6 r30)
Title
RACF users do not have the required default fields. (Cat III impact)
Discussion
Ensure that Every USERID is uniquely identified to the system. Within the USERID record, the user's name, default group, the owner, and the user's passdate fields are completed. This will uniquely identify each user. If these fields are not completed for each user, user accountability will become lost. Every user will be identified to RACF via each user’s unique userid profile. To RACF, a user is an individual (user), a started task, or a batch job. Every userid will be fully identified within RACF with the following fields completed: NAME User’s name DFLTGRP Default group OWNER User’s profile owner PASSWORD Password RACF will automatically assign the default group as the password if a password is not explicitly coded. Assign a unique password to every userid to prevent unauthorized access by a person who knows the default group for a new userid.
Check Content
a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0570) b) If every user is fully identified with all of the following conditions: 1. A completed NAME field that can either be traced back to a current DD2875 or a Vendor Requirement (example: A Started Task). 2. The presence of the DEFAULT-GROUP and OWNER fields. 3. The PASSDATE field is not set to N/A unless this user has the PROTECTED attribute. c) If all of the above are true, there is NO FINDING. d) If any of above is untrue, this is a FINDING.
Fix Text
Review all USERID definitions to ensure required information is provided. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes listed in this PDI. The following are sample commands to correct this vulnerability: 1. Add a NAME to a userid with the command ALU <userid> NAME('lastname, firstname'). 2. Every user will be assigned a default group by default. A sample command to reassign a default group is shown here: ALU <userid> DFLTGRP(<newdefaultgroup>). You must first be connected to a group via the RACF CONNECT command before making it a default group. 3. A PASSDATE field showing 00.000 indicates that a temporary password has been assigned but the user has not logged in and set a permanent password. This could indicate that a new userid was recently added or that a userid previously added is unused and should be considered for deletion. The IAO should investigate and determine if the userid should be deleted or that the new user should be contacted and told to login to set a permanent password.
Additional Identifiers
Rule ID: SV-284r2_rule
Vulnerability ID: V-284
Group Title: RACF0570
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
CCI-000804 |
The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users). |