STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

The IBM RACF PROTECTALL SETROPTS value specified must be properly set.

DISA Rule

SV-223704r604139_rule

Vulnerability Number

V-223704

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RACF-ES-000570

Severity

CAT I

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Evaluate the impact associated with implementation of the control option. Develop a plan of action to implement the control option as specified in the example below:

The RACF Command SETR LIST will show the status of RACF Controls including the value for the PROTECTALL Option.

PROTECTALL is ACTIVATED and set to FAIL by issuing the command SETR PROTECTALL(FAIL).

Check Contents

From the ISPF Command Shell enter:
SETROPTS LIST

If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, this is not a finding.

If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a finding.

Additional analysis may be required to determine whether this finding should be downgraded to a Category II or remain a Category I.

Example of a Category I finding where not a further analysis is required:

Control Options: SETROPTS NOPROTECTALL

Example of a possible Category I finding requiring additional analysis:

Control Options: SETROPTS PROTECTALL(WARNING)

PROTECTALL(WARNING) allows access to a data set only if it is not at protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not at allow unauthorized access. This situation allows for a downgrade to a Category II.

Vulnerability Number

V-223704

Documentable

False

Rule Version

RACF-ES-000570

Severity Override Guidance

From the ISPF Command Shell enter:
SETROPTS LIST

If the SETROPTS values for PROTECTALL is ACTIVE and set to FAIL, this is not a finding.

If the SETROPTS PROTECTALL parameter is set to NOPROTECTALL or PROTECTALL(WARNING), this is a finding.

Additional analysis may be required to determine whether this finding should be downgraded to a Category II or remain a Category I.

Example of a Category I finding where not a further analysis is required:

Control Options: SETROPTS NOPROTECTALL

Example of a possible Category I finding requiring additional analysis:

Control Options: SETROPTS PROTECTALL(WARNING)

PROTECTALL(WARNING) allows access to a data set only if it is not at protected by a profile in the DATASET resource class. Therefore if all sensitive data sets are properly protected by profiles in the DATASET resource class, PROTECTALL(WARNING) will not at allow unauthorized access. This situation allows for a downgrade to a Category II.

Check Content Reference

M

Target Key

4101

Comments