Title

There are batch jobs with restricted LOGONIDs that do not have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs. (Cat II impact)

Discussion

Unauthorized jobs may be introduced into the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.

Check Content

a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTRESTR) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0580) b) If the logonids that are associated with batch jobs have the RESTRICT attribute, then the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified. c) If all restricted logonids have the PGM(xxxxxxxx) and SUBAUTH attributes, and/or the SOURCE(xxxxxxxx) attribute, there is NO FINDING. d) If the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute is not specified for any restricted logonids, this is a FINDING.

Fix Text

Ensure associated LOGONIDs exist for all batch jobs and restrict access to required resources only. All batch jobs scheduled via an automation process will use the //*LOGONID xxxxxxxx card in the JCL stream to identify the userid. Use restricted logonids with the following parameter coded: RESTRICT One or both of the following will also be specified: PGM(xxxxxxxx) and SUBAUTH SOURCE(xxxxxxxx) The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for batch processing will not be used. The use of USER= can also be used in the jobcard to identify the userid to be used for a job's processing.

Additional Identifiers

Rule ID: SV-160r2_rule

Vulnerability ID: V-160

Group Title: ACF0580

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.