The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.

From z/OS TSS STIG

Part of ZUSS0043

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000764

SV-7290r2_rule The user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.

Vulnerability discussion

User identifiers (ACF2 logonids, RACF userids, and Top Secret ACIDs), groups, and started tasks that use z/OS UNIX facilities are defined to an ACP with attributes including UID and GID. If these attributes are not correctly defined, data access or command privilege controls could be compromised.

Check content

a) Refer to the following reports produced by the ACP Data Collection: ACF2 - ACF2CMDS.RPT(OMVSUSER) - ACF2CMDS.RPT(LOGONIDS) RACF - RACFCMDS.RPT(LISTUSER) TSS - TSSCMDS.RPT(@ACIDS) b) If OMVS is defined as follows, there is NO FINDING: 1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh” c) If OMVS is not defined as specified in (b) above, this is a FINDING

Fix text

The systems programmer will verify that OMVS is defined as specified below: 1) No access to interactive on-line facilities (e.g., TSO, CICS, etc.) 2) Default group specified as OMVSGRP or STCOMVS 3) UID(0) 4) HOME directory specified as “/” 5) Shell program specified as “/bin/sh”

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer