The PROTECTALL SETROPTS value specified is improperly set.

From z/OS RACF STIG

Part of RACF0480

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000366 CCI-002358

SV-276r2_rule The PROTECTALL SETROPTS value specified is improperly set.

Vulnerability discussion

When PROTECTALL processing is active and set to FAIL, the system automatically rejects any request to create or access a data set that is not RACF protected.Temporary data sets that comply with standard MVS temporary data set naming conventions are excluded from PROTECTALL processing. PROTECTALL requires that data sets be RACF protected. In order for PROTECTALL to work effectively, you must specify GENERIC to activate generic profile checking. Otherwise, RACF would allow users to create or access only data sets protected by discrete profiles.The system-wide options control the default settings for determining how the ACP will function when handling requests for access to the operating system environment, ACP, and customer data. The ACP provides the ability to set a number of these fields at the subsystem level. If no setting is found, the system-wide defaults will be used. The improper setting of any of these fields, individually or in combination with another, can compromise the security of the processing environment. In addition, failure to establish standardized settings for the ACP control options introduces the possibility of exposure during migration process or contingency plan activation.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(RACF0480) b) If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, there is NO FINDING. c) If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a FINDING. Additional analysis may be required to determine whether this FINDING should be downgraded to a Category II or remain a Category I. Example of a Category I FINDING where no further analysis is required: Control Options: SETROPTS NOPROTECTALL Example of a possible Category I FINDING requiring additional analysis: Control Options: SETROPTS PROTECTALL(WARNING) PROTECTALL(WARNING) allows access to a data set only if it is not protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not allow unauthorized access. This situation allows for a downgrade to a Category II.

Fix text

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below: The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option. (1) PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer