Title

The AUDIT SETROPTS value is improperly set. (Cat II impact)

Discussion

(RACF0260: CAT II) AUDIT specifies the names of the classes for which you want RACF to perform auditing. For the classes that you specify, RACF logs all uses of the RACDEF SVC and all changes made to profiles by RACF commands. NOAUDIT cancels auditing. The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Check Content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0260) b) If all ACTIVE classes are also listed under the AUDIT classes, there is NO FINDING. Note: All Classes must be enabled for AUDITing. c) If there are ACTIVE classes that are not specified in the AUDIT classes, this is a FINDING.

Fix Text

The IAO will ensure that AUDIT SETROPTS value is set to AUDIT(*) indicating that RACF sets all classes to do auditing of uses of the RACDEF SVC and all changes made to profiles by RACF commands. Evaluate the impact associated with implementation of the control option. Develop a plan of action and proceed with the change. Issue the command SETR AUDIT(*) to activate all RACF Classes.

Additional Identifiers

Rule ID: SV-255r2_rule

Vulnerability ID: V-255

Group Title: RACF0260

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.