UCF STIG Viewer Logo

IBM RACF batch jobs must be properly secured.


Overview

Finding ID Version Rule ID IA Controls Severity
V-223672 RACF-ES-000240 SV-223672r853578_rule Medium
Description
Batch jobs that are submitted to the operating system should inherit the USERID of the submitter. This will identify the batch job with a userid for the purpose of accessing resources. BATCHALLRACF ensures that a valid USERID is associated with batch jobs. Jobs that are submitted to the operating system via a scheduling facility must also be identified to the system. Without a batch job having an associated USERID, access to system resources will be limited. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000326-GPOS-00126
STIG Date
IBM z/OS RACF Security Technical Implementation Guide 2022-09-19

Details

Check Text ( C-25345r516739_chk )
Refer to the documentation of the processes used for submission of batch jobs via an automated process (i.e., scheduler or other sources) and each of the associated userids. Determine any other scheduled batch jobs on the system.

From an ISPF Command Shell enter:
RLIST SURROGAT *

If each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile, this is not a finding.

From an ISPF Command Shell enter:
RLIST SURROGAT ALL

If the Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles, this is not a finding.
Fix Text (F-25333r516740_fix)
Configure each batch job userid used for batch submission by a Job Scheduler (e.g., CONTROL-M, CA-7, CA-Scheduler, etc.) is defined as an execution-userid in a SURROGAT resource class profile. For example:

RDEFINE SURROGAT execution-userid.SUBMIT UACC(NONE)
OWNER(execution-userid)

Configure Job Scheduler userids (i.e., surrogate-userid) are permitted surrogate authority to the appropriate SURROGAT profiles. For example:

PERMIT execution-userid.SUBMIT CLASS(SURROGAT)
ID(surrogate-userid) ACCESS(READ)