STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223714r604139_rule
V-223714
SRG-OS-000480-GPOS-00227
RACF-ES-000670
CAT II
10
Review all USERIDs with the OPERATIONS attribute. Ensure documentation providing justification for access is maintained and filed with the ISSO, and that unjustified access is removed.
A sample command to remove the OPERATIONS attribute from a userid is shown here:
ALU <userid> NOOPERATIONS
To remove the Group-Operations attribute:
CO <user> GROUP(<groupname>) NOOPERATIONS
From the ISPF Command Shell enter:
ListUser *
If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.
If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.
Otherwise, Group-OPERATIONS is allowed.
V-223714
False
RACF-ES-000670
From the ISPF Command Shell enter:
ListUser *
If authorization to the SYSTEM OPERATIONS attribute is restricted to key systems personnel such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is not a finding.
If any users connected to sensitive system dataset HLQ (e.g., SYS1, SYS2, ETC) groups with the Group-OPERATIONS are key systems personnel, such as individuals responsible for continuing operations, Storage Management, and emergency recovery, this is a finding.
Otherwise, Group-OPERATIONS is allowed.
M
4101