An error occurred:

Check: RACF0660

zOS RACF STIG: RACF0660 (in versions v6 r43 through v6 r30)

Title

There are started tasks defined to RACF with the trusted attribute that are not justified. (Cat II impact)

Discussion

Trusted Started tasks bypass RACF checking. It is vital that this attribute is NOT granted to unauthorized Started Tasks which could then obtain unauthorized access to the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.

Check Content

a) Refer to the following report produced by the RACF Data Collection: - DSMON.RPT(RACSPT) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0660) b) Ensure that only approved Started Tasks have the TRUSTED flag enabled. Started Tasks approved to run with the TRUSTED attribute are contained in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum. c) Ensure that no Started Tasks have been granted the PRIVILEGED attribute. d) If all of the above are true, there is NO FINDING. e) If any of the above is untrue, this is a FINDING.

Fix Text

Review assignment of the TRUSTED attribute in ICHRIN03 and/or the STARTED resource class. If a started proc defined with the TRUSTED attribute exists that is not in the approved list of trusted started tasks as found in the TRUSTED STARTED TASKS Table in the zOS STIG Addendum then the TRUSTED attribute should be removed. The TRUSTED attribute can be removed from a STARTED class profile using the command: RALT STARTED <profilename> STDATA(TRUSTED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH If any Started Tasks exist with the PRIVILEGED attribute then take the following action to remove this attribute: RALT STARTED <profilename> STDATA(PRIVILEGED(NO)) If the STARTED class is RACLISTed then a refresh command is necessary: SETR RACL(STARTED) REFRESH

Additional Identifiers

Rule ID: SV-291r2_rule

Vulnerability ID: V-291

Group Title: RACF0660

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement