Batch jobs are improperly defined.

From z/OS RACF STIG

Part of RACF0595

Associated with IA controls: DCCS-1, DCCS-2

SV-19114r1_rule Batch jobs are improperly defined.

Vulnerability discussion

Batch jobs are submitted to the operating system under their own USERID. This will identify the batch job with the user for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited.

Check content

a) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) Ensure that the following items are in effect for batch userids: 1) The following userid record fields/attributes are specified: NAME PROTECTED 2) No userid has the LAST-ACCESS field set to UNKNOWN. c) If both of the above are true, there is NO FINDING. d) If either of the above is untrue, this is a FINDING.

Fix text

Ensure the following: 1. Associated USERIDs exist for all batch jobs and documentation authorizing access to system resources is maintained and implemented. 2. Set up the userids with the RACF PROTECTED attribute. A sample RACF command to accomplish is shown here: ALU NOPASSWORD NOOIDCARD.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer