The zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and audited.
<VulnDiscussion>Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users.
Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed.
Users authorized to use the zSecure program CKRCARLX can fake SMF records.
Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes.
Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
If this is not a RACF system, the presence of CKGRACF is not applicable.
Ensure READ access to zSecure functional resources is restricted to the appropriate staff members.
READ access can be given to auditors, security administrators (domain level and decentralized), security batch jobs that perform ESM maintenance, and trusted STC users.