Title

Started tasks for IBM Security zSecure products must be properly defined. (Cat II impact)

Discussion

Started tasks and batch job IDs can be automatically revoked accidentally if not properly protected. When properly protected STCs prevent any attempts to log on with a password, it eliminates the possibility of revocation due to excessive invalid password attempts (denial of service).

Check Content

If user IDs assigned to zSecure started tasks and scheduled batch jobs are not assigned the PROTECTED attribute and/or defined as an STC, this is a finding. The default zSecure STC names (that may be changed by installation) are as follows: - STC C2PACMON runs program C2PACMON. - STC C2POLICE runs program C2POLICE. - STC C2PCOLL runs program CKFCOLL. (CKFCOLL is also run as a step in batch jobs.) - STC C2RSERVE runs program BPXBATCH. - STC CKCS1154 runs program CKCS1154. - STC CKNSERVE runs program CKNSERVE. - STC CKCCEF runs program CKRCARLX. - STC CKQCLEEF runs program CKRCARLX. - STC CKQEXSMF runs program CKQEXSMF. - STC CKQRADAR runs program CKRCARLA. - STC CKXLOG runs program CKXLOG. Verify the naming conventions for the zSecure STCs and batch jobs with the responsible systems programmers. Check which user IDs are assigned in the STDATA segment of the zSecure STCs. For these user IDs, verify they are assigned the PROTECTED attribute.

Fix Text

Ensure user IDs assigned to zSecure started tasks and scheduled batch jobs are assigned the PROTECTED attribute and/or defined as an STC. The following command is provided as a sample for adding the PROTECTED attribute. Convert this command for any other ESM: - ALTUSER <stuser> NOPASSWORD NOPHRASE - ALTUSER <batch user ID> NOPASSWORD NOPHRASE

Additional Identifiers

Rule ID: SV-259731r1051324_rule

Vulnerability ID: V-259731

Group Title: SRG-APP-000148-MFP-000206

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.