STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS attributes of UNIX user accounts used for account modeling must be defined in accordance with security requirements.

DISA Rule

SV-223863r604139_rule

Vulnerability Number

V-223863

Group Title

SRG-OS-000104-GPOS-00051

Rule Version

RACF-US-000260

Severity

CAT II

CCI(s)

• CCI-000764 - The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users).

Weight

10

Fix Recommendation

Use of the OMVS default UID will not be allowed on any Classified system. This is not an issue when using BPX.UNIQUE.USER.

Define user id used for OMVS account modeling with a non-0 UID, a non-writable home directory, such as "\" root, and a non-executable, but existing, binary file, "/bin/false" or “/bin/echo.”

Check Contents

If this is a Classified system, and there is an account used for modeling, this is a finding.

From a command input screen enter:
RLIST FACILITY (BPX.UNIQUE.USER) ALL
Examine APPLICATION DATA for userid

Enter:
List User (<userid>)

Note: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is Not Applicable.

If user account used for OMVS account modeling is defined as follows, this is not a finding:

A non-writable HOME directory:
Shell program specified as “/bin/echo” or “/bin/false”

Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Vulnerability Number

V-223863

Documentable

False

Rule Version

RACF-US-000260

Severity Override Guidance

If this is a Classified system, and there is an account used for modeling, this is a finding.

From a command input screen enter:
RLIST FACILITY (BPX.UNIQUE.USER) ALL
Examine APPLICATION DATA for userid

Enter:
List User (<userid>)

Note: This check applies to any user id used to model OMVS access on the mainframe. This includes the OMVS default user and BPX.UNIQUE.USER. If the OMVS default user or BPX.UNIQUE.USER is not defined in the FACILITY report, this is Not Applicable.

If user account used for OMVS account modeling is defined as follows, this is not a finding:

A non-writable HOME directory:
Shell program specified as “/bin/echo” or “/bin/false”

Note: The shell program must have one of the specified values. The HOME directory must have a value (i.e., not be allowed to default).

Check Content Reference

M

Target Key

4101

Comments