IBM Security zSecure must prevent nonprivileged users from executing privileged zSecure functions.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259733	SRG-APP-000340-MFP-000088	ZSEC-00-000140	SV-259733r1050755_rule	2025-03-05	1

Description
Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

Description

Preventing nonprivileged users from executing privileged zSecure functions mitigates the risk that unauthorized individuals or processes may gain unnecessary access to information or privileges. Privileged functions include, for example, running COLLECT jobs, generating audit reports, and adjusting RACF security settings. Nonprivileged users are individuals who do not possess appropriate authorizations. Circumventing intrusion detection and prevention mechanisms or malicious code protection mechanisms are examples of privileged functions that require protection from nonprivileged users.

ℹ️ Check
If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN.* CKG. CKR. C2R. (if you use zSecure Visual) C2X. If a minimum of all failed access is logged, this is not a finding.

ℹ️ Check

If READ access to zSecure functional resources is not restricted to privileged users, this is a finding. If the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode, this is not a finding. CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** If a minimum of all failed access is logged, this is not a finding.

✔️ Fix
Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN.* CKG. CKR. C2R. (if you use zSecure Visual) C2X. A minimum of all failed access must be logged. The following is an example of RACF commands. Convert these commands for any other ESM: rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN.* uacc(none) owner(zSecure owner) rdef xfacilit CKG. uacc(none) owner(zSecure owner) rdef xfacilit CKR. uacc(none) owner(zSecure owner) rdef xfacilit C2R. uacc(none) owner(zSecure owner) rdef xfacilit C2X. uacc(none) owner(zSecure owner)

✔️ Fix

Ensure that the following high-level qualifier profiles are defined in the configured zSecure class, by default XFACILIT, with UACC (NONE) and not in WARNING mode: CKF.** CKN*.** CKG.** CKR.** C2R.** (if you use zSecure Visual) C2X.** A minimum of all failed access must be logged. The following is an example of RACF commands. Convert these commands for any other ESM: rdef xfacilit CKF.** uacc(none) owner(zSecure owner) rdef xfacilit CKN*.** uacc(none) owner(zSecure owner) rdef xfacilit CKG.** uacc(none) owner(zSecure owner) rdef xfacilit CKR.** uacc(none) owner(zSecure owner) rdef xfacilit C2R.** uacc(none) owner(zSecure owner) rdef xfacilit C2X.** uacc(none) owner(zSecure owner)