IBM z/OS Started Tasks must be properly defined to RACF.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-98147	RACF-ES-000730	SV-107251r1_rule		Medium

Description
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.

Description

Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.

STIG	Date
IBM z/OS RACF Security Technical Implementation Guide	2020-06-29

Details

Check Text ( C-96983r1_chk )
Ask the system administrator for a list of stated tasks available on the system. For each Identified started task, if all of the following are true, this is not a finding. If any of the following are untrue, this is a finding. -All started task userids are connected to a valid STC group ID. -Only userids associated with STCs are connected to STC group IDs. -All STC userids are defined with the PROTECTED attribute. From the ISPF Command Shell enter: RL STARTED (Alternately execute RACF DSMON utility for the RACSPT report) If the following is true this is not a finding, If and of the following is untrue this is a finding. -A generic catch all profile of is defined to the STARTED resource class. -The STC group associated with the profile is not granted any explicit data set or resource access authorizations. -The STC userid associated with the profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute. NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists. Refer to the DSMON RACSPT report. If the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted, this is not a finding. If STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles, this is not a finding.

Check Text ( C-96983r1_chk )

Ask the system administrator for a list of stated tasks available on the system.

For each Identified started task, if all of the following are true, this is not a finding.

If any of the following are untrue, this is a finding.

-All started task userids are connected to a valid STC group ID.
-Only userids associated with STCs are connected to STC group IDs.
-All STC userids are defined with the PROTECTED attribute.

From the ISPF Command Shell enter:
RL STARTED (Alternately execute RACF DSMON utility for the RACSPT report)

If the following is true this is not a finding,

If and of the following is untrue this is a finding.

-A generic catch all profile of ** is defined to the STARTED resource class.
-The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations.
-The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute.

NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists.

Refer to the DSMON RACSPT report.

If the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted, this is not a finding.

If STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles, this is not a finding.

Fix Text (F-103823r1_fix)
Review all STCs for compliance. Connect a STC userid to a STC group. Sample command: CO GROUP() OWNER() If any non-STC userids are connected to a STC group, they should be removed. Sample command: RE GROUP() Set up STC userids with the PROTECTED attribute. Sample command: ALU NOPASSWORD NOOIDCARD Define a generic catch all profile. Sample command: RDEF STARTED UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES)) Run IRRUT100 against the group specified in the STARTED class profile. Remove this group from any access lists. Sample command: PE CL() ID(<#STCDFLT or alternate group name>) DEL. Set up the userid as Restricted with the command: ALU RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item. The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes an ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem. Evaluate the impact of the change and develop a plan of action to implement the changes as required.

Fix Text (F-103823r1_fix)

Review all STCs for compliance.

Connect a STC userid to a STC group. Sample command: CO GROUP() OWNER()

If any non-STC userids are connected to a STC group, they should be removed. Sample command: RE GROUP()

Set up STC userids with the PROTECTED attribute. Sample command: ALU NOPASSWORD NOOIDCARD

Define a generic catch all profile. Sample command: RDEF STARTED ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES))

Run IRRUT100 against the group specified in the STARTED class ** profile. Remove this group from any access lists. Sample command: PE CL() ID(<#STCDFLT or alternate group name>) DEL.

Set up the userid as Restricted with the command: ALU RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item.

The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes an ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem.

Evaluate the impact of the change and develop a plan of action to implement the changes as required.