S 2.289 Use of restrictive z/OS IDs

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Amongst other things, IDs with high authorisation are required for administering the security system RACF (Resource Access Control Facility). In order to minimise the risk of misuse, the following rules must be observed:

SPECIAL, OPERATIONS, AUDITOR

High authorisation attributes in the RACF such as SPECIAL, OPERATIONS, and AUDITOR are applicable to the entire system and must only be assigned to users requiring these rights for their job. IDs with these particularly high rights must be limited to the minimum extent and their assignment must be documented.

GROUP-SPECIAL, GROUP-OPERATIONS, GROUP-AUDITOR

If high rights are required, it must be considered whether these rights can be restricted for the respective ID on a group level (GROUP-SPECIAL, GROUP-OPERATIONS, and GROUP-AUDITOR). The assignment of the rights restricted on a group level must also be limited to the minimum extent and documented.

Super user (UID 0)

In the optional Unix segment of the user ID (OMVS segment), a user ID (UID) valid for Unix System Services (USS) is assigned that is used to manage the z/OS ID in the USS. The UID 0 (super user) or the authorisation for executing the su command must only be assigned to the users requiring this authorisation for their work.

SPECIAL and UID 0

Due to reasons of security, highly authorised IDs with the SPECIAL attribute must not run simultaneously with UID 0 as super user in USS. Furthermore, it must be considered whether the attributes SPECIAL and OPERATIONS should be assigned to the same ID.

Assignment of UIDs

UIDs should not be assigned twice (same UID for different users). Many activities absolutely requiring super user rights in certain Unix operating systems may be authorised individually in RACF using specific class UNIXPRIV RACF profiles. In any case, such an authorisation using RACF profiles is more secure than assigning the super user rights or su command authorisation (see also safeguard S 4.211 Use of the z/OS security system RACF).

Audit procedure

In order to be able to audit the work of the users with high authorisations, a corresponding audit procedure must be established (see also safeguard S 2.288 Drawing up a security policy for z/OS systems).

IBMUSER for new installations

After new installations, the IBMUSER user must be used in order to newly create at least two IDs with the SPECIAL attribute. Once this was performed, the IBMUSER must be and remain disabled (REVOKED). RACF definitions should not be created with the IBMUSER ID (see also safeguard S 4.211 Use of the z/OS security system RACF).

Emergency user procedures

If, for example, all IDs with the SPECIAL attribute have been disabled or if no user disposing of this authorisation is available in an emergency, an emergency user procedure must be established (see also safeguard S 6.93 Contingency planning for z/OS systems).

Review questions:

• Are high authorisations in the z/OS system only assigned to users who require these rights for their work?
• Is the assignment of the high authorisation attributes in RACF documented?
• Is the operation of highly authorised z/OS IDs with the SPECIAL attribute simultaneously with UID 0 as super user in USS prevented?
• Has an audit procedure been established for the z/OS systems?
• Are, upon new installation of the z/OS system, at least two IDs with the SPECIAL attribute created and the IBMUSER disabled afterwards?
• Are RACF definitions in z/OS not created with the IBMUSER ID?
• Has an emergency user procedure been established for the z/OS systems?