The use of the RACF AUDITOR privilege is not justified.

From z/OS RACF STIG

Part of RACF0730

Associated with IA controls: DCCS-1, DCCS-2

SV-295r1_rule The use of the RACF AUDITOR privilege is not justified.

Vulnerability discussion

A user having the AUDITOR attribute has the authority to specify logging options, gives control of logging SMF data and list auditing information. With the AUDITOR attribute, a user could alter SMF logging data so no trace of the activity could be found. This could destroy audit trace information for the RACF system. This attribute should be limited to a minimum number of people. This also applies to the use of Group-Auditor in cases where users are connected to sensitive system dataset HLQ or general resource owning groups with Group-Auditor.

Check content

a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACUSR) - DSMON.RPT(RACGRP) - RACFCMDS.RPT(LISTUSER) Automated Analysis requiring Additional Analysis. Refer to the following report produced by the RACF Data Collection: - PDI(RACF0730) b) Ensure the following items are in effect regarding the AUDITOR attribute: 1) Authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel. 2) At minimum, ensure that any users connected to sensitive system dataset HLQ groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel. Otherwise, Group-AUDITOR is allowed. c) If both items in (b) are true, there is NO FINDING. d) If either item in (b) is untrue, this is a FINDING.

Fix text

Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the IAO, and that unjustified access is removed. The AUDITOR attribute is removed from a user with the command: ALU NOAUDITOR. To remove the Group-Auditor attribute: CO GROUP() NOAUDITOR

Pro Tips

Powered by sagemincer