From z/OS RACF STIG
Part of RACF0600
Associated with IA controls: DCCS-1, DCCS-2
Batch jobs that are user-submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with the user for the purpose of accessing resources. In some environments, such as CICS, jobs submitted without the USER operand specified on the JOB statement run under a user ID other than the user submitting the job, in this case, the CICS userid. This situation presents a security violation in that the issuer of the job will inherit the authority of the CICS userid.
a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - RACFCMDS.RPT(SETROPTS) - SENSITVE.RPT(PROPCNTL) - RACFCMDS.RPT(LISTUSER) Refer to a list all Multiple User Access Systems in use on this system. These are systems that run in a single address space, but allow multiple users to sign on to them (e.g., CICS regions, Session Managers, etc.). For each region, also include corresponding userids, profiles, data management files, and a brief description (of each region). Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. b) If (1) the submission of batch jobs via an automated process (e.g., job scheduler, job submission started task, etc.) is being utilized, and/or (2) Multiple User Single Address Space Systems (MUSASS) capable of submitting batch jobs are active on this system, ensure the following items are in effect: 1) The PROPCNTL resource class is active. 2) A PROPCNTL resource class profile is defined for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) and a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). c) If both of the above in (b) are true, there is NO FINDING. d) If either of the above in (b) is untrue, this is a FINDING.
Add a PROPCNTL profile for each userid associated with a job scheduler (e.g., CONTROL-M, CA-7, etc.) or a MUSASS able to submit batch jobs (e.g., CA-ROSCOE, etc.). A sample command is shown here: RDEF PROPCNTL controlm UACC(NONE) OWNER(ADMIN)
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer