IBM RACF must define UACC of NONE on all profiles.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-223777	SRG-OS-000370-GPOS-00155	RACF-OS-000210	SV-223777r1050763_rule	2025-03-11	9

Description
The operating system must employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs.

ℹ️ Check
Review all Dataset and resource profiles in the RACF database. If any are not defined with UACC NONE, this is a finding. There is an exception when evaluating the UACC for DIGTCERT and NODES resource classes. The universal access (UACC) for DIGTCERT profiles: For profiles in classes other than DIGTCERT, the valid values are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. For DIGTCERT profiles, the valid values are TRUST, NOTRUST, and HIGHTRST. If DIGTCERT Profiles are defined with other than UACC NONE, this is not a finding. The universal access (UACC) for NODES: A UACC of NONE fails the inbound job. If NODES profiles are defined with other than UACC NONE, this is not a finding.

ℹ️ Check

Review all Dataset and resource profiles in the RACF database. If any are not defined with UACC NONE, this is a finding. There is an exception when evaluating the UACC for DIGTCERT and NODES resource classes. The universal access (UACC) for DIGTCERT profiles: For profiles in classes other than DIGTCERT, the valid values are NONE, READ, EXECUTE, UPDATE, CONTROL, and ALTER. For DIGTCERT profiles, the valid values are TRUST, NOTRUST, and HIGHTRST. If DIGTCERT Profiles are defined with other than UACC NONE, this is not a finding. The universal access (UACC) for NODES: A UACC of NONE fails the inbound job. If NODES profiles are defined with other than UACC NONE, this is not a finding.

✔️ Fix
Define each dataset and resource profile with UACC(NONE), excluding the exceptions of NODES and DIGTCERT profiles.