XFACILIT class, or alternate class if specified in module CKRSITE, must be active.
An XCCDF Rule
Description
<VulnDiscussion>The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-259738r943248_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Ensure the resource class that is configured in CKRSITE for zSecure security checks is active in the RACF class descriptor table. The default class is XFACILIT. IBM Security zSecure recommends the generic be activated.
Following is a sample command:
SETROPTS CLASSACT(XFACILIT) or SETROPTS CLASSACT(<configured resource class for access checks>)