Title

The use of the RACF AUDITOR privilege must be justified. (Cat II impact)

Discussion

A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.

Check Content

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requires Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0730) b) Ensure the following items are in effect regarding the AUDITOR attribute: 1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix Text

Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU <userid> NOAUDITOR. To remove the Group-Auditor attribute: CO <user> GROUP(<groupname>) NOAUDITOR

Additional Identifiers

Rule ID: SV-295r3_rule

Vulnerability ID: V-295

Group Title: RACF0730

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.