Check: RACF-ES-000720
IBM z/OS RACF STIG:
RACF-ES-000720
(in versions v8 r14 through v8 r10)
Title
IBM z/OS Started Tasks must be properly identified and defined to RACF. (Cat II impact)
Discussion
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. To ensure accountability and prevent unauthenticated access, organizational users must be identified and authenticated to prevent potential misuse and compromise of the system.
Check Content
Refer to the site security plan, the system administrator, and system libraries to determine list of stated tasks available on the system. If each Started task procedure identified has a unique associated userid or STC userid that is unique per product and function, this is not a finding. If any of the following are untrue, this is a finding. -All started task userids are connected to a valid STC group ID. -Only userids associated with STCs are connected to STC group IDs. -All STC userids are defined with the PROTECTED attribute. From the ISPF Command Shell enter: RL STARTED (Alternately execute RACF DSMON utility for the RACSPT report) If all of the following is true, this is not a finding, If any of the following is untrue, this is a finding. -A generic catch all profile of ** is defined to the STARTED resource class. -The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations. -The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute. Note: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists. Execute RACF utility DSMON RACSPT report. If the ICHRIN03 started procedures table is not maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted, this is a finding. If STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are not maintained in ICHRIN03 to reflect the current STARTED resource class profiles, this is a finding.
Fix Text
Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command: RDEF STARTED <procname>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(<userid>) GROUP(<groupname>) TRACE(YES)) A corresponding USERID must be defined with appropriate authority. The "groupname" should be a valid STC group with no interactive users.
Additional Identifiers
Rule ID: SV-223719r877336_rule
Vulnerability ID: V-223719
Group Title: SRG-OS-000104-GPOS-00051
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
Controls
Number | Title |
---|---|
IA-2 |
Identification And Authentication (Organizational Users) |