Title

RACF batch jobs are improperly secured. (Cat II impact)

Discussion

Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.

Check Content

a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - SENSITVE.RPT(SURROGAT) - RACFCMDS.RPT(LISTUSER) Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) If the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, ensure the following items are in effect: 1) The SURROGAT resource class is active. Note: This does not need to be checked, automation check is performed in ZUSSR060. 2) Each batch job userid used for batch submission by a job scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) 3) Job scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ) c) If all of the above in (b) are true, there is NO FINDING. d) If any of the above in (b) is untrue, this is a FINDING.

Fix Text

Ensure the following: 1. Each batch job userid used for batch submission by a job scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example: RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE) OWNER(execution-userid) 2. Job scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example: PERMIT execution-userid.SUBMIT CLASS(SURROGAT) ID(surrogate-userid) ACCESS(READ)

Additional Identifiers

Rule ID: SV-286r2_rule

Vulnerability ID: V-286

Group Title: RACF0590

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.