Check: ZUSS0046
zOS RACF STIG:
ZUSS0046
(in versions v6 r43 through v6 r37)
Title
UID(0) must be properly assigned. (Cat I impact)
Discussion
User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.
Check Content
a) Refer to the following report produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(OMVSUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the z/OS Data Collection: - PDI(ZUSS0046) b) If UID(0) is assigned only to system tasks such as the z/OS/ UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons, there is NO FINDING. c) If UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components, there is NO FINDING. NOTE: The assignment of UID(0) confers full time superuser privileges. This is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges. d) If UID(0) is assigned to non-systems or non-maintenance accounts, this is a FINDING.
Fix Text
The systems programmer will verify that UID(0) is defined as specified below: UID(0) is assigned only to system tasks such as the z/OS UNIX kernel (i.e., OMVS), z/OS UNIX daemons (e.g., inetd, syslogd, ftpd), and other system software daemons. UID(0) is assigned to security administrators who create or maintain user account definitions; and to systems programming accounts dedicated to maintenance (e.g., SMP/E) of HFS-based components.. NOTE: The assignment of UID(0) confers full time superuser privileges, this is not appropriate for personal user accounts. Access to the BPX.SUPERUSER resource is used to allow personal user accounts to gain short-term access to superuser privileges.
Additional Identifiers
Rule ID: SV-7294r3_rule
Vulnerability ID: V-6991
Group Title: ZUSS0046
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |