Check: RACF0600
zOS RACF STIG:
RACF0600
(in versions v6 r43 through v6 r30)
Title
RACF batch jobs are not protected with propagation control. (Cat II impact)
Discussion
Batch jobs that are user-submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with the user for the purpose of accessing resources. In some environments, such as CICS, jobs submitted without the USER operand specified on the JOB statement run under a user ID other than the user submitting the job, in this case, the CICS userid. This situation presents a security violation in that the issuer of the job will inherit the authority of the CICS userid. The PROPCNTL Class was designed to prevent this from occurring. Utilize propagation control (PROPCNTL) for system-level address spaces that submit jobs on behalf of users.
Check Content
a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - SENSITVE.RPT(PROPCNTL) - RACFCMDS.RPT(LISTUSER) Refer to a list all Multiple User Access Systems in use on this system. These are systems that run in a single address space, but allow multiple users to sign on to them (e.g., CICS regions, Session Managers, etc.). For each region, also include corresponding userids, profiles, data management files, and a brief description (of each region). Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) If (1) the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, and/or (2) Multiple User Single Address Space Systems (MUSASS) capable of submitting batch jobs are active on this system, ensure the following items are in effect: 1) The PROPCNTL resource class is active. 2) A PROPCNTL resource class profile is defined for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) and a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). c) If both of the above in (b) are true, there is NO FINDING. d) If either of the above in (b) is untrue, this is a FINDING.
Fix Text
Add a PROPCNTL profile for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) or a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). A sample command is shown here: RDEF PROPCNTL controlm UACC(NONE) OWNER(ADMIN)
Additional Identifiers
Rule ID: SV-287r2_rule
Vulnerability ID: V-287
Group Title: RACF0600
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |