The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.

From z/OS RACF STIG

Part of ZUSSR050

Associated with: CCI-000366

SV-7300r4_rule The z/OS Default profiles must not be defined in the corresponding FACILITY Class Profile for classified systems.

Vulnerability discussion

The RACF FACILITY Class BPX. UNIQUE.USER profile contains the userid or the userid/group ID of the default profiles to be used for a user without a z/OS UNIX profile (i.e., OMVS Segment). In classified system user access will not be determined by default.

Check content

If the system is not classified this is not applicable. From a command input screen enter: RLIST FACILITY (BPX.UNIQUE.USER) ALL Examine APPLICATION DATA for userid Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - System Classification Automated Analysis: Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR050) If system is classified and a userid is are not defined in the Application Data field in the BPX.UNIQUE.USER resource in the FACILITY report, there is no finding.

Fix text

If system is classified a userid should not be defined in the application data field of the FACILITY report. The sample commands below show the required security parameters required for the default user: AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX. UNIQUE.USER APPLDATA() - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer