STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223713r604139_rule
V-223713
SRG-OS-000480-GPOS-00227
RACF-ES-000660
CAT II
10
Review all USERIDs with the SPECIAL attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.
For the SYSTEM SPECIAL attribute:
A sample command for removing the SPECIAL attribute is shown here: ALU <userid> NOSPECIAL.
For the GROUP SPECIAL attribute:
CO <user> GROUP(<groupname>) NOSPECIAL
From the ISPF Command Shell enter:
ListUser *
If authorization to the SYSTEM SPECIAL attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.
If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-SPECIAL are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.
Otherwise, Group-SPECIAL is allowed.
V-223713
False
RACF-ES-000660
From the ISPF Command Shell enter:
ListUser *
If authorization to the SYSTEM SPECIAL attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.
If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-SPECIAL are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.
Otherwise, Group-SPECIAL is allowed.
M
4101