STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

DISA Rule

SV-223536r533198_rule

Vulnerability Number

V-223536

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-JS-000090

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-002233 - The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

Weight

10

Fix Recommendation

All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default of no access; all resource access is logged (at the discretion of the ISSM/ISSO scheduling tasks may be exempted) and access authorization is restricted to the minimum number of personnel required for running production jobs.

Ensure the CLASMAP defines SURROGAT as TYPE(SUR).

NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters.

Ensure the following items are in effect:

All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT.

All resource access is logged except for scheduling tasks.

Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Consider the following recommendations when implementing security for Executionuserid.SUBMIT resources:

Keep the use of Executionuserid.SUBMIT resources outside of those granted to the scheduling software to a minimum number of individuals.

The simplest configuration is to only use Executionuserid.SUBMIT for the appropriate Scheduling task/software for production scheduling purposes as documented.

Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period is determined by site policy.

Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Executionuserid.SUBMIT usage should not become the default for all jobs submitted by individual userids (i.e., system programmer must use their assigned individual userids for software installation, duties, whereas using a Executionuserid.SUBMIT resource would normally be for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.

Example:

$KEY(SRR) TYPE(SUR)
SUBMIT UID(*******STC******CONTROLM) ALLOW
- UID(*) PREVENT

Check Contents

Review the ACFGSO report executionuserid.SUBMIT resources. These are usually defined to CLASMAP as TYPE(SUR).
NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters.

If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is not applicable.

If executionuserid.SUBMIT resources are defined to the SURROGAT resource class, review resource rules for TYPE(SUR). If the following items are in effect, this is not a finding.

All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT.

All resource access is logged; at the discretion of the ISSM/ISSO, scheduling tasks may be exempted.

Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Vulnerability Number

V-223536

Documentable

False

Rule Version

ACF2-JS-000090

Severity Override Guidance

Review the ACFGSO report executionuserid.SUBMIT resources. These are usually defined to CLASMAP as TYPE(SUR).
NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters.

If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is not applicable.

If executionuserid.SUBMIT resources are defined to the SURROGAT resource class, review resource rules for TYPE(SUR). If the following items are in effect, this is not a finding.

All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT.

All resource access is logged; at the discretion of the ISSM/ISSO, scheduling tasks may be exempted.

Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Check Content Reference

M

Target Key

4100

Comments