T 3.70 Insufficient z/OS system file protection

In the z/OS operating system, a security system like RACF controls and monitors file access. Incorrect administration of the file protection may enable an attacker, under certain circumstances, to access important files without authorisation, e.g. operating system programs, configuration files or application data.

RACF enables user accounts to be granted comprehensive rights using special attributes (e.g. Special or Operations).

It should be taken into account that data to which a user has read access can also always be copied by the user in z/OS.

In this context the threat T 3.16 Incorrect administration of site and data access rights should also be taken into account.

Examples:

• The files for the salary data were copied using the ID of a member of staff with a user account defined in RACF with the attribute Universal Access UPDATE. As a result all staff had not only read access, but could also alter the data.

• Due to careless handling of the RACF attribute Operations, a user was able to read or copy nearly all system data and customer data.