Maintenance USERIDs are improperly controlled.

From z/OS RACF STIG

Part of RACF0680

Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1

SV-290r1_rule Maintenance USERIDs are improperly controlled.

Vulnerability discussion

DASD management USERIDs require access to backup and restore all files, and present a high degree of risk to the environment. These users should be given access to perform necessary functions thru use of the DASDVOL class (for non-SMS volumes) and/or thru STGADMIN profiles in the FACILITY class for SMS managed volumes. Access to individual profiles in the DATASET class should be disallowed. These userids should also set up IAW RACF0595 for batch userids which includes use of the PROTECTED Attribute.

Check content

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) - RACFCMDS.RPT(LISTUSER) - RACFCMDS.RPT(LISTGRP) Refer to all documents and procedures that apply to Storage Management. Including identification of the DASD backup files and all associated storage management userids. b) If batch userids assigned to storage maintenance tasks (e.g., volume backup, data set archive and restore, etc.) are given access to data sets using DASDVOL and/or GDASDVOL profiles, there is NO FINDING. NOTE: DASDVOL profiles will not work with SMS-managed volume. FACILITY class profiles must be used instead. If DFSMS/MVS is used to perform DASD maintenance operations, FACILITY class profiles may also be used to authorize storage maintenance operations to non-SMS-managed volumes in lieu of using DASDVOL profiles. Therefore, not all volumes may be defined to the DASDVOL/GDASDVOL resource classes, and not all storage management userids may be represented in the profile access lists. c) If any storage management userid is given the OPERATIONS attribute to perform DASD maintenance operations, this is a FINDING. d) If the storage management userid is not defined with the PROTECTED attribute, this is a FINDING.

Fix text

Evaluate the impact of accomplishing the change. Develop a plan of action and implement the change as required. a. Ensure that maintenance USERIDs do not possess the OPERATIONS attribute. A sample command to accomplish this is shown here: ALU NOOPERATIONS b. Ensure that maintenance USERIDs possess the PROTECTED attribute. A sample command to accomplish this is shown here: ALU NOPASS NOOIDCARD c. Ensure that maintenance USERIDs are permitted to the appropriate STGADMIN profiles in the FACILITY class for SMS-managed volumes. d. Ensure that maintenance USERIDs are permitted to appropriate DASDVOL profiles for non-SMS-managed volumes.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer