Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-160 | ACF0580 | SV-160r2_rule | DCCS-1 DCCS-2 | Medium |
Description |
---|
Unauthorized jobs may be introduced into the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data. |
STIG | Date |
---|---|
z/OS ACF2 STIG | 2019-03-26 |
Check Text ( C-242r1_chk ) |
---|
a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTRESTR) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0580) b) If the logonids that are associated with batch jobs have the RESTRICT attribute, then the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified. c) If all restricted logonids have the PGM(xxxxxxxx) and SUBAUTH attributes, and/or the SOURCE(xxxxxxxx) attribute, there is NO FINDING. d) If the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute is not specified for any restricted logonids, this is a FINDING. |
Fix Text (F-27330r1_fix) |
---|
Ensure associated LOGONIDs exist for all batch jobs and restrict access to required resources only. All batch jobs scheduled via an automation process will use the //*LOGONID xxxxxxxx card in the JCL stream to identify the userid. Use restricted logonids with the following parameter coded: RESTRICT One or both of the following will also be specified: PGM(xxxxxxxx) and SUBAUTH SOURCE(xxxxxxxx) The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for batch processing will not be used. The use of USER= can also be used in the jobcard to identify the userid to be used for a job's processing. |