The IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited.
An XCCDF Rule
Description
Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091
- ID
- SV-259734r1050758_rule
- Version
- ZSEC-00-000160
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
The following commands are provided as a sample for implementing RACF zSecure user data set controls. Convert these commands for any other ESM:
rdef program CKFCOLL uacc(none) owner(zSecure owner) audit(all(read))
pe CKFCOLL class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT,
SECDAUDT, SYSPAUDT) access(READ)
rdef program CKGRACF uacc(none) owner(zSecure owner) audit(all(read))