Started tasks for zSecure products must be properly defined.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-259731	ZSEC-00-000100	SV-259731r943252_rule		Medium

Description
Started tasks and batch job IDs can be automatically revoked accidentally if not properly protected. When properly protected STCs prevent any attempts to log on with a password, it eliminates the possibility of revocation due to excessive invalid password attempts (denial of service).

STIG	Date
IBM zSecure Suite Security Technical Implementation Guide	2024-01-18

Details

Check Text ( C-63470r943251_chk )
If user IDs assigned to zSecure started tasks and scheduled batch jobs are not assigned the PROTECTED attribute and/or defined as an STC, this is a finding. The default zSecure STC names (that may be changed by installation) are as follows: - STC C2PACMON runs program C2PACMON. - STC C2POLICE runs program C2POLICE. - STC C2PCOLL runs program CKFCOLL. (CKFCOLL is also run as a step in batch jobs.) - STC C2RSERVE runs program BPXBATCH. - STC CKCS1154 runs program CKCS1154. - STC CKNSERVE runs program CKNSERVE. - STC CKCCEF runs program CKRCARLX. - STC CKQCLEEF runs program CKRCARLX. - STC CKQEXSMF runs program CKQEXSMF. - STC CKQRADAR runs program CKRCARLA. - STC CKXLOG runs program CKXLOG. Verify the naming conventions for the zSecure STCs and batch jobs with the responsible systems programmers. Check which user IDs are assigned in the STDATA segment of the zSecure STCs. For these user IDs, verify they are assigned the PROTECTED attribute.

Check Text ( C-63470r943251_chk )

If user IDs assigned to zSecure started tasks and scheduled batch jobs are not assigned the PROTECTED attribute and/or defined as an STC, this is a finding.

The default zSecure STC names (that may be changed by installation) are as follows:

- STC C2PACMON runs program C2PACMON.
- STC C2POLICE runs program C2POLICE.
- STC C2PCOLL runs program CKFCOLL. (CKFCOLL is also run as a step in batch jobs.)
- STC C2RSERVE runs program BPXBATCH.
- STC CKCS1154 runs program CKCS1154.
- STC CKNSERVE runs program CKNSERVE.
- STC CKCCEF runs program CKRCARLX.
- STC CKQCLEEF runs program CKRCARLX.
- STC CKQEXSMF runs program CKQEXSMF.
- STC CKQRADAR runs program CKRCARLA.
- STC CKXLOG runs program CKXLOG.

Verify the naming conventions for the zSecure STCs and batch jobs with the responsible systems programmers.

Check which user IDs are assigned in the STDATA segment of the zSecure STCs. For these user IDs, verify they are assigned the PROTECTED attribute.

Fix Text (F-63377r943226_fix)
Ensure user IDs assigned to zSecure started tasks and scheduled batch jobs are assigned the PROTECTED attribute and/or defined as a STC. The following command is provided as a sample for adding the PROTECTED attribute. - ALTUSER NOPASSWORD NOPHRASE - ALTUSER NOPASSWORD NOPHRASE