Started Tasks are not properly identified to RACF.

From z/OS RACF STIG

Part of RACF0620

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000764

SV-288r2_rule Started Tasks are not properly identified to RACF.

Vulnerability discussion

Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources.

Check content

Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTUSER) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Started task procedures will have a unique associated userid or STC userids will be unique per product and function if supported by vendor documentation

Fix text

Define a RACF STARTED Class profile for each Started Proc that maps the proc to a unique userid, or STC userids will be unique per product and function if supported by vendor documentation. This can be accomplished with the sample command: RDEF STARTED .** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER() GROUP() TRACE(YES)) A corresponding USERID must be defined with appropriate authority. The "groupname" should be a valid STC group with no interactive users.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer