STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM RACF use of the AUDITOR privilege must be justified.

DISA Rule

SV-223709r604139_rule

Vulnerability Number

V-223709

Group Title

SRG-OS-000480-GPOS-00227

Rule Version

RACF-ES-000620

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Review all USERIDs with the AU (Manual) - Review all USERIDs with the AUDITOR attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.

The AUDITOR attribute is removed from a user with the command: ALU <userid> NOAUDITOR.

To remove the Group-Auditor attribute:

CO <user> GROUP(<groupname>) NOAUDITOR

Check Contents

From the ISPF Command Shell enter:
ListUser *

If authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel, this is not a finding.

If at minimum, any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, etc.) groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel, this is not a finding.

Otherwise, Group-AUDITOR is allowed.

Vulnerability Number

V-223709

Documentable

False

Rule Version

RACF-ES-000620

Severity Override Guidance

From the ISPF Command Shell enter:
ListUser *

If authorization to the SYSTEM AUDITOR attribute is restricted to auditing and/or security personnel, this is not a finding.

If at minimum, any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, etc.) groups or general resource owning groups with the Group-AUDITOR attribute are Auditor and/or Security personnel, this is not a finding.

Otherwise, Group-AUDITOR is allowed.

Check Content Reference

M

Target Key

4101

Comments