IBM RACF must define UACC of NONE on all profiles.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223777 | RACF-OS-000210 | SV-223777r1050763_rule | High |
| Description |
| The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. |
| STIG | Date |
| IBM z/OS RACF Security Technical Implementation Guide | 2025-06-24 |
Details
| Check Text (C-25450r1050761_chk) |
| Review all Dataset and resource profiles in the RACF database. If any are not defined with UACC NONE, this is a finding. There is an exception when evaluating the UACC for DIGTCERT and NODES resource classes. The universal access (UACC) for DIGTCERT profiles: For profiles in classes other than DIGTCERT, the valid values are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. For DIGTCERT profiles, the valid values are TRUST, NOTRUST, and HIGHTRST. If DIGTCERT Profiles are defined with other than UACC NONE, this is not a finding. The universal access (UACC) for NODES: A UACC of NONE fails the inbound job. If NODES profiles are defined with other than UACC NONE, this is not a finding. |
| Fix Text (F-25438r1050762_fix) |
| Define each dataset and resource profile with UACC(NONE), excluding the exceptions of NODES and DIGTCERT profiles. |