Started Tasks are improperly defined to RACF.

From z/OS RACF STIG

Part of RACF0650

Associated with IA controls: DCCS-1, DCCS-2

SV-289r1_rule Started Tasks are improperly defined to RACF.

Vulnerability discussion

Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.

Check content

I. STC Group IDs a) Refer to the following reports produced by the RACF Data Collection: - DSMON.RPT(RACSPT) - RACFCMDS.RPT(LISTGRP) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. b) Ensure the following items are in effect: 1) All started task userids are connected to a valid STC group ID. 2) Only userids associated with STCs are connected to STC group IDs. 3) All STC userids are defined with the PROTECTED attribute. c) If (b) above is true, there is NO FINDING. d) If (b) above is untrue, this is a FINDING. II. STC Default Profile a) Ensure the following items are in effect: 1) A generic catch all profile of ** is defined to the STARTED resource class. 2) The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations. 3) The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute. NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists. b) If (a) above is true, there is NO FINDING. c) If (a) above is untrue, this is a FINDING. III. ICHRIN03 Entries a) Verify that the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted. Ensure that STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles. b) If (a) above is true, there is NO FINDING. c) If (a) above is untrue, this is a FINDING.

Fix text

Review all STCs for compliance to Sections I, II, and III. Corrections can be made as follows. Note that the commands listed below are samples. Section I 1. Connect a STC userid to a STC group. Sample command: CO GROUP() OWNER() 2. If any non-STC userids are connected to a STC group, then should be removed. Sample command: RE GROUP() 3. Set up STC userids with the PROTECTED attribute. Sample command: ALU NOPASSWORD NOOIDCARD Section II 1. Define a generic catch all profile. Sample command: RDEF STARTED ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES)) 2. Run IRRUT100 against the group specified in the STARTED class ** profile. Remove this group from any access lists. Sample command: PE CL() ID(<#STCDFLT or altername group name>) DEL. 3. Set up the userid as Restricted with the command: ALU RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item. Section III The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes a ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem. Evaluate the impact of the change and develop a plan of action to implement the changes as required.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer