Emergency USERIDs must be properly defined.

From z/OS RACF STIG

Part of RACF0690

Associated with IA controls: DCCS-1, DCCS-2

SV-292r1_rule Emergency USERIDs must be properly defined.

Vulnerability discussion

Emergency USERIDs are necessary in the event of a system outage for recovery purposes. It is critical that those USERIDs be defined with the appropriate access to ensure timely restoration of services.

Check content

Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(TSOUADS) Refer to the following reports produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) - SENSITVE.RPT(DASDVOL) - SENSITVE.RPT(GDASDVOL) Refer to the list from the IAO of all emergency userids available to the site along with the associated function of each userid. At a minimum an emergency logonid will exists with the security administration attributes specified in accordance with the following requirements. If the followng guidance is not followed this is a finding. - At least one userid exists to perform RACF security administration. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. - If any userids exist to perform operating system functions, they are defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, and FULL access to all DASD volumes. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list. - All emergency userids are defined to RACF and SYS1.UADS. - All emergency logonid / logonid(s) are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute. - All emergency logonid / logonid(s) will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency logonid / logonid(s) will have documented procedures to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency logonid is released for use, its password is to be reset by the IAO within 12 hours.

Fix text

The IAO will review the emergency USERIDs to ensure access granted only authorizes those resources required to support the specific functions of either DASD Recovery or System Administration. Ensure the following items are in effect regarding emergency userids: At a minimum an emergency userids will exists with the security administration attributes specified in accordance with the following requirements: - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - Userids can be defined to perform operating system functions. Such userids must be defined without any RACF security administration privileges. These userids are defined to RACF with the system-OPERATIONS attribute, FULL access to all DASD volumes resources as well as the FACILITY Class STGADMN profiles. They must not have the SPECIAL attribute. NOTE: A user who has the system-OPERATIONS attribute has FULL access authorization to all RACF-protected resources in the DASDVOL/GDASDVOL resource classes. However, if their userid or any associated group (i.e., default or connect) is in the access list of a resource profile, they will only have the access specified in the access list since access lists override OPERATIONS. - Userids exist to perform RACF security administration only. These userids are defined to RACF with the system-SPECIAL attribute. They must not have the OPERATIONS attribute. Emergency userids will have either SPECIAL or OPERATIONS but not both. - All emergency userids are defined to RACF and SYS1.UADS. See TSO Command Ref for info on adding users to UADS. - All emergency userids are to be implemented with logging to provide an audit trail of their activities. This is accomplished with the UAUDIT attribute via the command: ALU UAUDIT - All emergency userids will have distinct, different passwords in SYS1.UADS and in RACF, and the site is to establish procedures to ensure that the passwords differ. The password for any ID in SYS1.UADS is never to match the password for the same ID in RACF. - All emergency userids will have documented procedures - such as a COOP Plan - to provide a mechanism for the use of the IDs. Their release for use is to be logged, and the log is to be maintained by the IAO. When an emergency userids is released for use, its password is to be reset by the IAO within 12 hours.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer