STIGQter STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS surrogate users must be controlled in accordance with proper security requirements.

DISA Rule

SV-223755r604139_rule

Vulnerability Number

V-223755

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-JS-000110

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SURROGAT as follows:
For executionuserid.SUBMIT resources defined to the SURROGAT resource class, ensure the following items are in effect regarding surrogate controls:

All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE.

All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted.

Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Consider the following recommendations when implementing security for Surrogate Users:

Keep the use of Surrogate Users outside of those granted to the scheduling software to a minimum number of individuals.

The simplest configuration is to only use Surrogate resource for the appropriate Scheduling task/software for production scheduling purposes as documented.

Temporary use of surrogate resource of the production batch to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period are determined by site policy.

Access authorization is restricted to the minimum number of personnel required for running production jobs. However, Surrogate usage should not become the default for all jobs submitted by individual userids (i.e., system programmer must use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.

Command samples are provided to define/permit SURROGAT profiles:

SETR CLASSACT(SURROGAT)
SETR GENERIC(SURROGAT) GENCMD(SURROGAT)
SETR RACL(SURROGAT)

RDEF SURROGAT <batchid>.SUBMIT UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('SUBMIT JOBS FOR <batchid>, REFERENCE ZJES0060')

PE <batchid>.SUBMIT CL(SURROGAT) ID(<authorized user such as CONTROLM>)

Check Contents

From the ISPF Command Shell enter:
RList SURROGAT *

If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is Not Applicable.

For each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding.

-All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE.
-All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted.

Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Vulnerability Number

V-223755

Documentable

False

Rule Version

RACF-JS-000110

Severity Override Guidance

From the ISPF Command Shell enter:
RList SURROGAT *

If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, this is Not Applicable.

For each executionuserid.SUBMIT resource defined to the SURROGAT resource class, if the following items are in true regarding surrogate controls, this is not a finding.

-All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE.
-All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted.

Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Check Content Reference

M

Target Key

4101

Comments