Title

Started Tasks are not properly identified to RACF. (Cat II impact)

Discussion

Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.

Check Content

Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Started task procedures will have a unique associated userid or STC userids will be unique per product and function if supported by vendor documentation

Fix Text

Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command: RDEF STARTED <procname>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(<userid>) GROUP(<groupname>) TRACE(YES)) A corresponding USERID must be defined with appropriate authority. The "groupname" should be a valid STC group with no interactive users.

Additional Identifiers

Rule ID: SV-288r2_rule

Vulnerability ID: V-288

Group Title: RACF0620

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.