Check: ZJES0060
zOS RACF STIG:
ZJES0060
(in versions v6 r43 through v6 r30)
Title
Surrogate users must be controlled in accordance with proper security requirements. (Cat II impact)
Discussion
Surrogate users have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users run with the identity of the execution user. Failure to properly control surrogate users could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
Refer to the following report produced by the RACF Data Collection: SENSITVE.RPT(SURROGAT) If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is not applicable. For each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding. ___ All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. ___ All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. . ___ Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. ___ Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).
Fix Text
For executionuserid.SUBMIT resources defined to the SURROGAT resource class, ensure the following items are in effect regarding surrogate controls: All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Surrogate Users: Keep the use of Surrogate Users outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to only use Surrogate resource for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary use of surrogate resource of the production batch to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility and test period is determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Surrogate usage should not become the default for all jobs submitted by individual userids (i.e., system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.. Command samples are provided to define/permit SURROGAT profiles: SETR CLASSACT(SURROGAT) SETR GENERIC(SURROGAT) GENCMD(SURROGAT) SETR RACL(SURROGAT) RDEF SURROGAT <batchid>.SUBMIT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('SUBMIT JOBS FOR <batchid>, REFERENCE ZJES0060') PE <batchid>.SUBMIT CL(SURROGAT) ID(<authorized user such as CONTROLM>)
Additional Identifiers
Rule ID: SV-7346r5_rule
Vulnerability ID: V-54
Group Title: ZJES0060
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
CCI-002234 |
The information system audits the execution of privileged functions. |