Getting a violation for a UNIXPRIV class call that indicates no record (NO-REC) on the ACFRPTRV report.
search cancel

Getting a violation for a UNIXPRIV class call that indicates no record (NO-REC) on the ACFRPTRV report.

book

Article ID: 62327

calendar_today

Updated On:

Products

ACF2 ACF2 - z/OS ACF2 - MISC

Issue/Introduction

An access on command on resource SUPERUSER.PROCESS.GETPSENT resource class UNIXPRIV gets a ACF04056  'NO-REC' violation in the ACFRPTRV report indicating no rule record found but the rule does exist.

RUNI-SUPERUSER.PROCESS.GETPSENT                  LOG  RUNI-SUPERUSER               
uid    STCINRDR SYS1 ACF9CFAT NO-REC   NON-CNCL    -     READ    
22.165 06/14 13.16    xxxxxx yyyyyy BATCH JOB          0   8   0   0   4   

 

Environment

Release:
Component: ACF2MS

Resolution

UNIXPRIV class calls are RACROUTE FASTAUTH calls. FASTAUTH calls requires the rules be Globally resident. The violation can be addressed by adding an INFODIR directory for R-RUNI and rebuilding the resident directory for TYPE UNI.

The UNIXPRIV class allows specific control of the individual functions usually performed by a user with superuser authority. This is referred to as superuser granularity. OMVS requires that users performing certain functions have a UID(0) or superuser status. Once a user is given superuser status, they have complete access to the system.

The UNIXPRIV class uses FASTAUTH calls so the type code used for the UNIXPRIV class must be added to the GSO INFODIR record and rules must be made resident:

ACF
SET CONTROL(GSO)
CHANGE INFODIR TYPES(R-RUNI)

Once the INFODIR record has been updated, issue the following commands to activate the changes:

ACF
F ACF2,REFRESH(INFODIR)
F ACF2,REBUILD(UNI),CLASS(R)

Details on the UNIXPRIV resource can be found in the CA-ACF2 Security for z/OS Administrator Guide, in Chapter 21: z/OS UNIX System Services Support, section "Controlling Superuser Functions".