STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: The RACF Classes required to properly security the z/OS UNIX environment are not ACTIVE.

DISA Rule

SV-7301r2_rule

Vulnerability Number

V-6998

Group Title

ZUSSR060

Rule Version

ZUSSR060

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

UNIXPRIV class profiles are used to manage certain system privileges that are typically associated with z/OS UNIX superuser authority. By defining UNIXPRIV class profiles,
certain individual superuser privileges can be granted to users who do not have superuser authority. This reduces the security risks associated with assigning full superuser authority to users.


SURROGAT class profiles are only needed if there are servers (e.g., web server) running in the z/OS UNIX environment that must be able to act with the security context of a client and that client does not supply a password or other authenticator for the ACP.

FACILITY class profiles are used by a variety of IBM components including UNIX System Services (OMVS). BPX prefixed profiles in this class are critical to the proper security of the z/OS UNIX environment.

Ensure that the required classes are active. Develop a plan of action and activate with the RACF commands:

SETR CLASSACT(FACILITY SURROGAT UNIXPRIV)

SETR GENERIC(FACILITY SURROGAT UNIXPRIV)
SETR GENCMD(FACILITY SURROGAT UNIXPRIV)

SETR RACL(FACILITY SURROGAT UNIXPRIV)

Check Contents

a) Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(ZUSSR060)

b) If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING.

c) If (b) above is untrue, this is a FINDING.

Vulnerability Number

V-6998

Documentable

False

Rule Version

ZUSSR060

Severity Override Guidance

a) Refer to the following report produced by the RACF Data Collection:

- RACFCMDS.RPT(SETROPTS)

Automated Analysis
Refer to the following report produced by the RACF Data Collection:

- PDI(ZUSSR060)

b) If the ACTIVE CLASSES list includes entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes, there is NO FINDING.

c) If (b) above is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

197

Comments