The IBM Security zSecure programs CKFCOLL and CKGRACF, and the APF-authorized version of program CKRCARLA, must be restricted to security administrators, security batch jobs performing External Security Manager (ESM) maintenance, auditors, and systems programmers, and must be audited.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-259734	SRG-APP-000342-MFP-000090	ZSEC-00-000160	SV-259734r1050758_rule	2025-03-05	1

Description
Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091

Description

Users authorized to use the zSecure program CKFCOLL can collect z/OS system information that is not accessible to regular users. Users authorized to use the zSecure program CKGRACF can change certain permitted RACF profile definitions that otherwise would not be allowed. Users authorized to use the zSecure program CKRCARLX can fake SMF records. Allowing inappropriate users to use the CKFCOLL, CKGRACF, and CKRCARLX programs could result in disclosure of z/OS installation and configuration information or inappropriate RACF profile or SMF record changes. Satisfies: SRG-APP-000342-MFP-000090,SRG-APP-000343-MFP-000091

ℹ️ Check
If this is not a RACF system, the presence of CKGRACF is not applicable. Verify the access and log settings of the profiles that protect the use of the CKFCOLL and CKGRACF programs and the APF-authorized version of the CKRCARLA program. If the CKF. and CKG. profiles that protect the use of the CKFCOLL, CKGRACF, and CKRCARLA programs allow general access (UACC, ID(), WARNING, or global access) or do not log successful READ access, this is a finding. If READ or higher access to profile(s) protecting CKF.* resources in XFACILIT class is not restricted to security administrators (domain or decentralized), batch jobs performing ESM maintenance, auditors, or systems programmers, this is a finding. If READ or higher access to profile(s) protecting CKG.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized) or batch jobs performing ESM maintenance, this is a finding. Review auditing of the profile protecting the CKR.CKRCARLA.APF resource in XFACILIT class. If successful READs are not audited, this is a finding.

ℹ️ Check

If this is not a RACF system, the presence of CKGRACF is not applicable. Verify the access and log settings of the profiles that protect the use of the CKFCOLL and CKGRACF programs and the APF-authorized version of the CKRCARLA program. If the CKF.** and CKG.** profiles that protect the use of the CKFCOLL, CKGRACF, and CKRCARLA programs allow general access (UACC, ID(*), WARNING, or global access) or do not log successful READ access, this is a finding. If READ or higher access to profile(s) protecting CKF.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized), batch jobs performing ESM maintenance, auditors, or systems programmers, this is a finding. If READ or higher access to profile(s) protecting CKG.** resources in XFACILIT class is not restricted to security administrators (domain or decentralized) or batch jobs performing ESM maintenance, this is a finding. Review auditing of the profile protecting the CKR.CKRCARLA.APF resource in XFACILIT class. If successful READs are not audited, this is a finding.

✔️ Fix
The following commands are provided as a sample for implementing RACF zSecure user data set controls. Convert these commands for any other ESM: rdef program CKFCOLL uacc(none) owner(zSecure owner) audit(all(read)) pe CKFCOLL class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKGRACF uacc(none) owner(zSecure owner) audit(all(read)) pe CKGRACF class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKRCARLX uacc(none) owner(zSecure owner) audit(all(read)) pe CKRCARLX class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ)

✔️ Fix

The following commands are provided as a sample for implementing RACF zSecure user data set controls. Convert these commands for any other ESM: rdef program CKFCOLL uacc(none) owner(zSecure owner) audit(all(read)) pe CKFCOLL class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKGRACF uacc(none) owner(zSecure owner) audit(all(read)) pe CKGRACF class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ) rdef program CKRCARLX uacc(none) owner(zSecure owner) audit(all(read)) pe CKRCARLX class(program) id(AUDTAUDT, SECAAUDT, SECBAUDT, SECDAUDT, SYSPAUDT) access(READ)