STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223662r604139_rule
V-223662
SRG-OS-000080-GPOS-00048
RACF-ES-000140
CAT II
10
Review all USERIDs with the BLP attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.
BLP is controlled thru the FACILITY class profile ICHBLP. Access is removed with the following command:
PE ICHBLP CL(FACILITY) id(<userid>) DELETE
a subsequent REFRESH of the FACILITY class may be required via the command: SETR RACL(FACILITY) REFRESH
From the ISPF Command Shell enter:
RLIST FACILITY ICHBLP AUTHUSER
If access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.), this is not a finding.
If no tape management system (e.g., CA-1) is installed the following:
From the ISPF Command Shell enter:
SETROPTS LIST
If the TAPEVOL class is active, this is not a finding.
V-223662
False
RACF-ES-000140
From the ISPF Command Shell enter:
RLIST FACILITY ICHBLP AUTHUSER
If access authorization to the ICHBLP resource is restricted at the userid level to data center personnel (e.g., tape librarian, operations staff, etc.), this is not a finding.
If no tape management system (e.g., CA-1) is installed the following:
From the ISPF Command Shell enter:
SETROPTS LIST
If the TAPEVOL class is active, this is not a finding.
M
4101