Check: RACF0480
zOS RACF STIG:
RACF0480
(in versions v6 r43 through v6 r37)
Title
The PROTECTALL SETROPTS value specified must be properly set. (Cat I impact)
Discussion
When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected. Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing. PROTECTALL requires that data sets be RACF protected. In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.
Check Content
a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis requires Additional Analysis. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0480) b) If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, there is NO FINDING. c) If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a FINDING. Additional analysis may be required to determine whether this FINDING should be downgraded to a Category II or remain a Category I. Example of a Category I FINDING where no further analysis is required: Control Options: SETROPTS NOPROTECTALL Example of a possible Category I FINDING requiring additional analysis: Control Options: SETROPTS PROTECTALL(WARNING) PROTECTALL(WARNING) allows access to a data set only if it is not protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not allow unauthorized access. This situation allows for a downgrade to a Category II.
Fix Text
Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. (1) PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).
Additional Identifiers
Rule ID: SV-276r3_rule
Vulnerability ID: V-276
Group Title: RACF0480
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
CCI-002358 |
The information system implements a reference monitor for organization-defined access control policies that is always invoked. |