STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM z/OS UNIX SUPERUSER resources must be protected in accordance with guidelines.

DISA Rule

SV-223838r604139_rule

Vulnerability Number

V-223838

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-US-000010

Severity

CAT I

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Configure all SUPERUSER resources for the UNIXPRIV resource class to be restricted to appropriate system tasks and/or system programming personnel.

-The RACF rules for the SUPERUSER resource specify a default access of NONE.
-There are no RACF rules that allow access to the SUPERUSER resource.
-There is no RACF rule for CHOWN.UNRESTRICTED defined.
-The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE.
-The RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel.

Sample Commands:
RDEF UNIXPRIV SUPERUSER.** UACC(NONE) OWNER(ADMIN) DATA('REFERENCE ZUSS0023') AUDIT(ALL(READ))
/* do not permit any users/groups to this resource */

SR CLASS(UNIXPRIV) MASK(CHOWN.UNRESTRICTED)
/* delete if found */

PE SUPERUSER.FILESYS.** CL(UNIXPRIV) ID(<SYSPsmpl>)

Check Contents

From the ISPF Command Shell enter:
RL UNIXPRIV * AUTHUSER

If the RACF rules for the SUPERUSER resource specify a default access of NONE, this is not a finding.

If there are no RACF rules that allow access to the SUPERUSER resource, this is not a finding.

If there is no RACF rule for CHOWN.UNRESTRICTED defined, this is not a finding.

If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding.

If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.

Vulnerability Number

V-223838

Documentable

False

Rule Version

RACF-US-000010

Severity Override Guidance

From the ISPF Command Shell enter:
RL UNIXPRIV * AUTHUSER

If the RACF rules for the SUPERUSER resource specify a default access of NONE, this is not a finding.

If there are no RACF rules that allow access to the SUPERUSER resource, this is not a finding.

If there is no RACF rule for CHOWN.UNRESTRICTED defined, this is not a finding.

If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, specify a default access of NONE, this is not a finding.

If the RACF rules for each of the SUPERUSER resources listed in the z/OS UNIX System Services Planning, Establishing UNIX security, restrict access to appropriate system tasks or systems programming personnel, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments