External RACF Classes are not active for CICS transaction checking.

From z/OS RACF STIG

Part of ZCICR021

Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1

Associated with: CCI-000213

SV-301r2_rule External RACF Classes are not active for CICS transaction checking.

Vulnerability discussion

Implement CICS transaction security by utilizing two distinct and unique RACF resourceclasses (i.e., member and grouping) within each CICS region. If several CICS regions aregrouped in an MRO environment, it is permissible for those grouped regions to share acommon pair of resource classes. Member classes contain a RACF discrete profile foreach transaction. Grouping classes contain groups of transactions requiring equalprotection under RACF. Ideally, member classes contain no profiles, and all transactionsare defined by groups in a grouping class.If CICS Classes are not active, this could result in the compromise of the confidentiality, integrity, and availability of the CICS region, applications, and customer data.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Refer to the CICS Systems Programmer Worksheets filled out from previous vulnerability ZCIC0010. b) Ensure each CICS transaction resource class pair are active. c) If (b) is true, there is NO FINDING. d) If (b) is untrue, this is a FINDING.

Fix text

Review each CICS SIT to ensure each region has a unique resource class or resource prefix specified. 1. The resources classes are activated in RACF using the following command: SETR CLASSACT()

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer