TickYouOff
Sign in
Back
🔒

z/OS RACF STIG SRR Checklist (Y26M01)

Hard 19 items · 3 hours
testuser's avatar
testuser Published 1 month ago
Security

This checklist guides IT and security professionals through a Security Readiness Review (SRR) for IBM z/OS RACF using the Y26M01 STIG. It helps verify installation, configuration, auditing, and compliance items required by DISA, and is intended for system administrators and security reviewers.

Source: https://ncp.nist.gov/checklist/55

Progress
0 / 19
  1. Review STIG version and supporting resources — Confirm checklist version Y26M01 and download required XCCDF/SRR files.
  2. Confirm target system is IBM z/OS — Verify CPE/host inventory lists z/OS as the target OS.
  3. Verify RACF is installed and running — Check RACF service status and base datasets are present.
  4. Validate RACF configuration against STIG settings — Compare system settings with STIG requirements and note deviations.
  5. Review user and group account controls — Assess account lifecycle, privileges, and administration policies.
  6. Audit privileged accounts — List and verify justification for all privileged/userids.
  7. Secure system and service accounts — Ensure non-interactive accounts have strong controls and no default passwords.
  8. Remove or disable unused accounts — Disable accounts with no business need and document actions.
  9. Verify access control lists and permissions — Confirm dataset and resource permissions follow least privilege.
  10. Check logging and audit configuration — Validate audit scope, collectors, and log integrity controls.
  11. Ensure auditing is enabled — Confirm RACF and system auditing are active for required events.
  12. Confirm log retention and protection meet policy — Verify retention periods, offsite copies, and access controls.
  13. Run SRR scripts and capture output — Execute provided SRR/XCCDF scripts and save reports for review.
  14. Validate patch levels and software versions — Compare installed releases to vendor and DISA requirements.
  15. Confirm backups and recovery procedures — Ensure RACF critical datasets are backed up and restore tested.
  16. Document exceptions and mitigations — Record deviations from STIG with justification and compensating controls.
  17. Report findings to designated point of contact — Send SRR results and remediation steps to the listed POC.
  18. Update checklist and resource links — Refresh local checklist copy and link to latest DISA resources and SHA values.
  19. Schedule periodic reviews and re-assessments — Set a cadence for future SRRs and STIG updates.
Sign in to save
📝 My Notes