Title

Batch job user Ids must be properly defined. (Cat II impact)

Discussion

Batch jobs are submitted to the operating system under their own USERID. This will identify the batch job with the user for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.

Check Content

Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated user IDs. From a command input screen enter: LISTUSER(each identified batch job) Alternately: Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) The following USERID record fields/attributes must be specified: NAME PROTECTED No USERID has the LAST-ACCESS field set to UNKNOWN. If both of the above are true, this is not a finding. If either of the USERID record fields/attributes (NAME and/or PROTECTED) are blank and/or the LAST ACCESS field is set to unknown, this is a finding.

Fix Text

Ensure the following: Associated USERIDs exist for all batch jobs and documentation authorizing access to system resources is maintained and implemented. Set up the userids with the RACF PROTECTED attribute. A sample RACF command to accomplish is shown here: ALU <execution-userid> NOPASSWORD NOOIDCARD.

Additional Identifiers

Rule ID: SV-19114r3_rule

Vulnerability ID: V-17839

Group Title: RACF0595

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.