Surrogate users are not controlled in accordance with the proper requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-54	ZJES0060	SV-54r2_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2 IAGA-1	Medium

Description
Surrogate users have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users run with the identity of the execution user. Failure to properly control surrogate users could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Description

Surrogate users have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users run with the identity of the execution user. Failure to properly control surrogate users could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS ACF2 STIG	2015-06-24

Details

Check Text ( C-35313r1_chk )
a) Refer to the following reports produced by the ACF2 Data Collection: - SENSITVE.RPT(SURROGAT) - ACF2CMDS.RPT(RESOURCE) – Alternate report - ACF2CMDS.RPT(ACFGSO) b) Review the ACFGSO report. If CLASMAP defines SURROGAT as TYPE(SUR), there is NO FINDING. NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters. c) If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, there is NO FINDING. d) If executionuserid.SUBMIT resources are defined to the SURROGAT resource class, review resource rules for TYPE(SUR) and ensure the following items are in effect: 1) All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT. 2) All resource access is logged, except for scheduling tasks. 3) Access authorization is restricted to the minimum number of personnel required for running production jobs. e) If all items in (b), (c) and (d) are true, there is NO FINDING. e) If any item in (b), (c) or (d) is untrue, this is a FINDING

Check Text ( C-35313r1_chk )

a) Refer to the following reports produced by the ACF2 Data Collection:

- SENSITVE.RPT(SURROGAT)
- ACF2CMDS.RPT(RESOURCE) – Alternate report
- ACF2CMDS.RPT(ACFGSO)

b) Review the ACFGSO report. If CLASMAP defines SURROGAT as TYPE(SUR), there is NO FINDING.

NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters.

c) If no executionuserid.SUBMIT resources are defined to the SURROGAT resource class, there is NO FINDING.

d) If executionuserid.SUBMIT resources are defined to the SURROGAT resource class, review resource rules for TYPE(SUR) and ensure the following items are in effect:

1) All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT.
2) All resource access is logged, except for scheduling tasks.
3) Access authorization is restricted to the minimum number of personnel required for running production jobs.

e) If all items in (b), (c) and (d) are true, there is NO FINDING.

e) If any item in (b), (c) or (d) is untrue, this is a FINDING

Fix Text (F-30558r1_fix)
The IAO will ensure If executionuserid.SUBMIT resources are defined to the SURROGAT resource class all executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default of no access, all access is logged unless it is a scheduling task and access authorization is restricted to the minimum number of personnel required for running production jobs. Ensure the CLASMAP defines SURROGAT as TYPE(SUR). NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters. Ensure the following items are in effect: 1) All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT. 2) All resource access is logged except for sheduling tasks. 3) Access authorization is restricted to the minimum number of personnel required for running production jobs. Example: $KEY(SRRAUDT) TYPE(SUR) SUBMIT UID(*****STC***CONTROLM) ALLOW - UID() PREVENT

Fix Text (F-30558r1_fix)

The IAO will ensure If executionuserid.SUBMIT resources are defined to the SURROGAT resource class all executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default of no access, all access is logged unless it is a scheduling task and access authorization is restricted to the minimum number of personnel required for running production jobs.

Ensure the CLASMAP defines SURROGAT as TYPE(SUR).

NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters.

Ensure the following items are in effect:

1) All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT.

2) All resource access is logged except for sheduling tasks.

3) Access authorization is restricted to the minimum number of personnel required for running production jobs.

Example:

$KEY(SRRAUDT) TYPE(SUR)
SUBMIT UID(*******STC******CONTROLM) ALLOW
- UID(*) PREVENT