The z/OS Default Userid is not properly defined with the corresponding FACILITY Class Profile.

From z/OS RACF STIG

Part of ZUSSR050

Associated with IA controls: DCCS-1, DCCS-2

SV-7300r1_rule The z/OS Default Userid is not properly defined with the corresponding FACILITY Class Profile.

Vulnerability discussion

The OMVS Default user is optional for z/OS systems. If used, it must be properly defined with a corresponding FACILITY Class profile to ensure proper security measures can be taken.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(FACILITY) - System Classification b) If system is classified or does not use the FTP socket application the Default User and Default Group are not defined in the Application Data field in the BPX.DEFAULT.USER resource in the FACILITY report, there is NO FINDING. c) If the system is a non classified system, running the FTP socket application, and has Default User and Default Group defined in the Application Data field in the BPX.DEFAULT.USER resource in the FACILITY report, there is NO FINDING. d) If (b) and (c) above are untrue, this is a FINDING.

Fix text

1. If system is classified or does not use the FTP socket application the Default User and Default Group should not be defined. 2. If the system is a non classified system, running the FTP socket application and wishes to use the Default User and Default Group, a corresponding FACILITY-Class profile must be defined. The FACILITY Class BPX.DEFAULT.USER profile contains the userid or the userid/group ID of the default profiles to be used for a user without an z/OS UNIX profile (i.e., OMVS Segment). The sample commands below show the required security parameters required for the default user: AG OEDFLTG SUPGROUP(ADMIN) OWNER(ADMIN) OMVS(GID(777777)) AU OEDFLTU DFLTGRP(OEDFLTG) NAME('OE DEFAULT USER') NOPASS - OMVS(UID(99999) HOME('/u/oeflt') PROGRAM('/bin/echo')) - DATA('DEFAULT OMVSUSERID ADDED WITH SOER5') RDEF FACILITY BPX.DEFAULT.USER APPLDATA('OEDFLTU/OEDFLTG') - DATA('ADDED TO SUPPORT THE DEFAULT USER') UACC(NONE) OWNER(ADMIN) SETR RACLIST(FACILITY) REFRESH

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer