From z/OS TSS STIG
Part of ZJES0060
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1, IAGA-1
Surrogate users/ Cross Authorization ACIDs have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users/ Cross Authorization ACIDs run with the identity of the execution user. Failure to properly control surrogate users/ Cross Authorization ACIDs could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) If no XA ACID entries exist in the above reports, there is NO FINDING. For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions: 1) ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH . 2) Access authorization is restricted to the minimum number of personnel (ACCESSORID) required for running production jobs. 3) Production batch ACIDS shall be cross authorized to the scheduling task, such as CONTROLM without logging. 4) Production Batch ACIDs shall be limited to the scheduling task, temporary Cross Authorization of the production batch ACID could be allowed for a period up to 7 days for testing by the appropriate specific production Support Team members if such access is requested in writing. 5) Access authorization is restricted to the minimum number of personnel (ACCESSORID) required for running production jobs. However, ACID Cross Authorization usage shall not become the default for all jobs submitted by individual userids (i.e. system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users. Any usage of a Cross Authorized ACID as a Group Account/userid is prohibited by DoD – IA Control IAGA.
For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions: ACID permission (XA ACID) is logged (ACTION = AUDIT), except for/to the scheduling. Access authorization is restricted as indicated above. Apply the following recommendations when implementing security for Cross Authorized ACIDs: (1) Allowing ACID Cross authorization of ACIDs outside of those granted to the scheduling software, shall be kept to a minimum number of individuals and of a temporary nature as indicated above. . Best IA Practice is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented. (2) Grant access to the user ACID for each cross authorization of ACID: For Example: TSS PERMIT(ACID) ACID(Cross AuthorizedACID) ACTION (AUDIT) For production ACIDS being used by CONTROLM: TSS PER(CONTROLM)ACID(production user ACID)
Lavender hyperlinks in small type off to the right (of CSS
class id
, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle
or
Accept: application/rdf+xml
.
Powered by sagemincer