STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF Global Access Checking must be restricted to appropriate classes and resources.

DISA Rule

SV-223665r604139_rule

Vulnerability Number

V-223665

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-ES-000170

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure Global Access Checking to be appropriately administered.

Evaluate the impact associated with implementation of the control option. Develop approval; documentation and a plan of action to implement the control option as specified in the example below:
RALT GLOBAL class-name
ADDMEM (resourcename)/accesslevel)

Check Contents

From a command input screen enter:
RL Global *

If Global * is specified in SETROPTS, this is a finding.

The following entries may be allowed with the approval of the ISSM:
Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets)
OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs)
JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs)
JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs)

The ISSM may allow other classes to be included after evaluation with the system programmer.

If any other members are included for Global Access Checking, this is a finding.

If written approval by the ISSM is not provided, this is a finding.

Vulnerability Number

V-223665

Documentable

False

Rule Version

RACF-ES-000170

Severity Override Guidance

From a command input screen enter:
RL Global *

If Global * is specified in SETROPTS, this is a finding.

The following entries may be allowed with the approval of the ISSM:
Dataset Class - ALTER access level to &RACUID.** (Allows users all access to their own datasets)
OPERCMDS Class – READ access to MVS.MCSOPER.&RACUID (Allows users access to console for their jobs)
JESJOBS Class – ALTER access to CANCEL.*.*.&RACUID (Allows users to cancel their own jobs)
JESJOBS Class – ALTER access to SUBMIT.*.*.&RACUID (Allows users to submit their own jobs)

The ISSM may allow other classes to be included after evaluation with the system programmer.

If any other members are included for Global Access Checking, this is a finding.

If written approval by the ISSM is not provided, this is a finding.

Check Content Reference

M

Target Key

4101

Comments