XFACILIT class, or alternate class if specified in module CKRSITE, must be active.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-259738 | SRG-APP-000516-MFP-000195 | ZSEC-00-000260 | SV-259738r961863_rule | 2025-03-05 | 1 |
| Description |
|---|
| The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM. |
| ℹ️ Check |
|---|
| Run the CARLa command SHOW CKRSITE. The output of this command reveals which resource class is configured for handling the zSecure security checks. The default resource class is XFACILIT. Verify in the class descriptor table that the configured zSecure resource class is active. If the configured zSecure resource class is not active, this is a finding. |
| ✔️ Fix |
|---|
| Ensure the resource class that is configured in CKRSITE for zSecure security checks is active in the RACF class descriptor table. The default class is XFACILIT. IBM Security zSecure recommends the generic be activated. Following is a sample command: SETROPTS CLASSACT(XFACILIT) or SETROPTS CLASSACT(<configured resource class for access checks>) |