An error occurred:

Check: RACF-ES-000240

IBM z/OS RACF STIG: RACF-ES-000240 (in versions v8 r14 through v7 r1)

Title

IBM RACF batch jobs must be properly secured. (Cat II impact)

Discussion

Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000326-GPOS-00126

Check Content

Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. Determine any other scheduled batch jobs on the system. From an ISPF Command Shell enter: RLIST SURROGAT * If each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile, this is not a finding. From an ISPF Command Shell enter: RLIST SURROGAT <surrogat-userid> ALL If the Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles, this is not a finding.

Fix Text

Configure each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) Configure Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)

Additional Identifiers

Rule ID: SV-223672r853578_rule

Vulnerability ID: V-223672

Group Title: SRG-OS-000080-GPOS-00048

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
CCI-002233

The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement
AC-6 (8)

Privilege Levels For Code Execution