ZOSMIGV1R13_DEFAULT_UNIX_ID
- Description:
- This check determines whether a client is relying on RACF® to assign default z/OS® UNIX identities
for users without OMVS segments who are accessing UNIX services. IBM® recommends
that a unique UNIX UID be assigned
to each user and that a unique GID be assigned to each group that
needs access to z/OS UNIX functions and resources. Starting with z/OS V1R13, support for the default UNIX identity, implemented using the BPX.DEFAULT.USER profile in the FACILITY class, is no longer available, so a migration action may be required if you are using it. The need for a migration action is based on whether the BPX.UNIQUE.USER and BPX.DEFAULT.USER profiles are defined in the FACILITY class. The following table summarizes:
Table 1. ZOSMIGV1R13_DEFAULT_UNIX_ID check actions and migration actions BPX.UNIQUE.USER defined in Facility BPX.DEFAULT.USER defined in Facility Check action and migration action required: No No RACF is not enabled to assign z/OS UNIX identities to users or groups who do not have OMVS segments. The check issues informational message IRRH504I (see "ZOSMIGV1R13_DEFAULT_UNIX_ID") and does not raise an exception, but you should use the best practice of assigning a unique UID and a unique GID to each user and group which needs access to z/OS UNIX functions and resources using either the BPX.UNIQUE.USER profile or by defining OMVS segments manually.
Migration action: Not required; the installation continues to perform as before.
No Yes The presence of the BPX.DEFAULT.USER profile without the BPX.UNIQUE.USER profile indicates an intent to use default OMVS segment support, which is not recommended. The check raises a low severity exception and issues error message IRRH505E. See "ZOSMIGV1R13_DEFAULT_UNIX_ID".
Migration action: Required, because default OMVS segment support is not supported in z/OS V1R13 or later. Do one of the following:- Use the replacement BPX.UNIQUE.USER profile function provided in z/OS R11 to enable RACF to automatically generate unique UIDs and GIDs.
- Define OMVS segments for all users and groups who require UNIX services.
Yes Yes or No The presence of the BPX.UNIQUE.USER profile (with or without BPX.DEFAULT.USER) indicates an intent to have RACF automatically generate unique UNIX UIDs and GIDs, as is recommended. The check issues informational message IRRH502I and then verifies requirements for the automatic generation of unique UNIX IDs. IRRH502I includes a report showing whether all requirements have been met. See a sample of IRRH502I in "ZOSMIGV1R13_DEFAULT_UNIX_ID" The check's action then depends on whether it finds that requirements have been met or not:- If all requirements have been met, the check raises no exceptions and issues informational message IRRH506I.
- If the check detects that not all requirements have been met, it issues informational message IRRH507I and does not raise an exception
Migration action: Not required - requirements for the automatic generation of unique UNIX IDs are an issue of enablement rather than migration.
- Reason for check:
- Starting with z/OS V1R13, support for the default UNIX identity, implemented using the BPX.DEFAULT.USER profile in the FACILITY class, is no longer available, so a migration action may be required if you are using it
- z/OS releases the check applies to:
- z/OS V1R12 and z/OS V1R13
- Parameters accepted:
- No
- User override of IBM values:
The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMRACF,ZOSMIGV1R13_DEFAULT_UNIX_ID)
SEVERITY(LOW),INTERVAL(ONETIME),DATE('date_of_the_change')
REASON('Your reason for making the update.') - Debug support:
- No
- Verbose support:
- No
- Reference:
- z/OS Security Server RACF Security Administrator's Guide
- Messages:
- This check issues the following exception messages:
- IRRH505E
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
- Output:
- The following shows the output from a ZOSMIGV1R13_DEFAULT_UNIX_ID
check that finds neither the BPX.UNIQUE.USER or BPX.DEFAULT.USER profiles
are defined:
CHECK(IBMRACF,ZOSMIGV1R13_DEFAULT_UNIX_ID) START TIME: 05/11/2011 10:34:11.210824 CHECK DATE: 20110101 CHECK SEVERITY: LOW IRRH504I RACF is not enabled to assign UNIX IDs when users or groups that do not have OMVS segments use certain z/OS UNIX services. If you choose not to define UNIX IDs for each user of UNIX functions, you can enable RACF to automatically generate unique UNIX UIDs and GIDs for you. END TIME: 05/11/2011 10:34:11.211004 STATUS: SUCCESSFUL - The following shows the output from an exception for ZOSMIGV1R13_DEFAULT_UNIX_ID
when the presence of the BPX.DEFAULT.USER profile without the BPX.UNIQUE.USER
profile indicates an intent to use default OMVS segment support, which
is not recommended:
CHECK(IBMRACF,ZOSMIGV1R13_DEFAULT_UNIX_ID) START TIME: 05/11/2011 10:36:31.611960 CHECK DATE: 20110101 CHECK SEVERITY: LOW * Low Severity Exception * IRRH505E The BPX.DEFAULT.USER profile in the FACILITY class indicates that you want RACF to assign shared default UNIX IDs when users or groups that do not have OMVS segments use certain z/OS UNIX services. Explanation: The RACF UNIX identity check has found the BPX.DEFAULT.USER profile in the FACILITY class. The presence of this profile indicates an intent to have RACF assign shared default UNIX UIDs and GIDs when users without OMVS segments access the system to use certain UNIX services. On z/OS V1R13 and below, you have the option of enabling RACF to assign default z/OS UNIX identities, however it is not suggested. You should either define OMVS segments for user and group profiles, with unique UIDs and GIDs, or you should enable RACF to automatically assign unique z/OS UNIX identities when users without OMVS segments access the system to use certain UNIX services. Assigning unique identities rather than shared identities improves overall security and increases user accountability. See z/OS Security Server RACF Security Administrator's Guide for more information about how to assign a user identifier (UID) to a RACF user and how to assign a group identifier (GID) to a RACF group. z/OS Security Server RACF Security Administrator's Guide also contains information about how to enable RACF to automatically assign unique UNIX identities. Note: z/OS V1R13 is the last release that supports default UNIX identities. After z/OS V1R13, users and groups that need to access z/OS UNIX functions and resources must be assigned unique UNIX UIDs and unique GIDs in advance of their need to access these services, or you must enable RACF to automatically assign unique z/OS UNIX identities when users without OMVS segments access the system to use certain UNIX services. The FACILITY class BPX.DEFAULT.USER profile will no longer be used and can be deleted. System Action: The check continues processing. There is no effect on the system. Operator Response: Report this problem to the system security administrator. System Programmer Response: None. Problem Determination: Source: Reference Documentation: z/OS Security Server RACF Security Administrator's Guide Automation: None. Check Reason: Migration check for BPX.DEFAULT.USER removal. END TIME: 05/11/2011 10:36:31.612823 STATUS: EXCEPTION-LOW - The following shows the output from a ZOSMIGV1R13_DEFAULT_UNIX_ID
check that finds that the requirements for the automatic generation
of unique UNIX IDs have been
met:
CHECK(IBMRACF,ZOSMIGV1R13_DEFAULT_UNIX_ID) START TIME: 05/11/2011 11:02:39.632614 CHECK DATE: 20110101 CHECK SEVERITY: LOW IRRH502I RACF attempts to assign unique UNIX IDs when users or groups that do not have OMVS segments use certain z/OS UNIX services. Requirements for this support: S Requirement - -------------------------------------------------------------------- FACILITY class profile BPX.UNIQUE.USER is defined RACF database is at the required AIM stage: AIM stage = 03 UNIXPRIV class profile SHARED.IDS is defined UNIXPRIV class is active UNIXPRIV class is RACLISTed FACILITY class profile BPX.NEXT.USER is defined BPX.NEXT.USER profile APPLDATA is specified (not verified): APPLDATA = 1/0 IRRH506I The RACF UNIX identity check has detected no exceptions. END TIME: 05/11/2011 11:02:39.634310 STATUS: SUCCESSFUL - The following shows the output from a ZOSMIGV1R13_DEFAULT_UNIX_ID
check that finds that the requirements for the automatic generation
of unique UNIX IDs have NOT
been met and raises an exception:
CHECK(IBMRACF,ZOSMIGV1R13_DEFAULT_UNIX_ID) START TIME: 05/11/2011 11:05:26.315471 CHECK DATE: 20110101 CHECK SEVERITY: LOW IRRH502I RACF attempts to assign unique UNIX IDs when users or groups that do not have OMVS segments use certain z/OS UNIX services. Requirements for this support: S Requirement - -------------------------------------------------------------------- FACILITY class profile BPX.UNIQUE.USER is defined RACF database is at the required AIM stage: AIM stage = 03 UNIXPRIV class profile SHARED.IDS is defined E UNIXPRIV class is not active UNIXPRIV class is RACLISTed FACILITY class profile BPX.NEXT.USER is defined BPX.NEXT.USER profile APPLDATA is specified (not verified): APPLDATA = 1/0 IRRH507I RACF cannot assign unique UNIX IDs when users or groups that do not have OMVS segments use certain z/OS UNIX services. One or more requirements are not satisfied. END TIME: 05/11/2011 11:05:26.317215 STATUS: SUCCESSFUL
- The following shows the output from a ZOSMIGV1R13_DEFAULT_UNIX_ID
check that finds neither the BPX.UNIQUE.USER or BPX.DEFAULT.USER profiles
are defined: