STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM zSecure Suite Security Technical Implementation Guide

V-259738

CAT II (Medium)

XFACILIT class, or alternate class if specified in module CKRSITE, must be active.

Rule ID

SV-259738r961863_rule

STIG

IBM zSecure Suite Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000366

Discussion

The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM.

Check Content

Run the CARLa command SHOW CKRSITE. The output of this command reveals which resource class is configured for handling the zSecure security checks. The default resource class is XFACILIT.

Verify in the class descriptor table that the configured zSecure resource class is active. 

If the configured zSecure resource class is not active, this is a finding.

Fix Text

Ensure the resource class that is configured in CKRSITE for zSecure security checks is active in the RACF class descriptor table. The default class is XFACILIT. IBM Security zSecure recommends the generic be activated.

Following is a sample command:

SETROPTS CLASSACT(XFACILIT) or SETROPTS CLASSACT(<configured resource class for access checks>)