Rule ID
SV-259733r1050755_rule
Version
V1R3
CCIs
Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.
If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** If a minimum of all failed access is logged, this is not a finding.
Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** A minimum of all failed access must be logged. The following is an example of RACF commands. Convert these commands for any other ESM: rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN*.** uacc(none) owner(zSecure owner) rdef xfacilit CKG.** uacc(none) owner(zSecure owner) rdef xfacilit CKR.** uacc(none) owner(zSecure owner) rdef xfacilit C2R.** uacc(none) owner(zSecure owner) rdef xfacilit C2X.** uacc(none) owner(zSecure owner)