RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.

From z/OS RACF STIG

Part of ZUSSR070

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000366

SV-7302r2_rule RACF Classes required to support z/OS UNIX security are not properly implemented with the SETROPTS RACLIST command.

Vulnerability discussion

RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. By not following vendor recommendations, unpredictable results could occur that compromise the integrity of the z/OS system.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(SETROPTS) Automated Analysis Refer to the following report produced by the RACF Data Collection: - PDI(ZUSSR070) b) If the SETR RACLIST CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING. c) If (b) above is untrue, this is a FINDING.

Fix text

RACF provides the ability to load certain class profiles into memory for better performance thru the use of the SETR RACLIST command. For some classes, RACLISTing is strongly recommended and should be implemented. UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles, certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users. SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP. FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment. Ensure that the required classes are RACLISTed. Develop a plan of action and RACLIST with the RACF command: SETR RACL(FACILITY SURROGAT UNIXPRIV)

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer