There are batch jobs with restricted LOGONIDs that do not have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-160	ACF0580	SV-160r2_rule	DCCS-1 DCCS-2	Medium

Description
Unauthorized jobs may be introduced into the system. This could result in the compromise of the confidentiality, integrity, and availability of the operating system, ACP, or customer data.

STIG	Date
z/OS ACF2 STIG	2019-12-12

Details

Check Text ( C-242r1_chk )
a) Refer to the following report produced by the ACF2 Data Collection: - ACF2CMDS.RPT(ATTRESTR) Automated Analysis Refer to the following report produced by the ACF2 Data Collection Checklist: - PDI(ACF0580) b) If the logonids that are associated with batch jobs have the RESTRICT attribute, then the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified. c) If all restricted logonids have the PGM(xxxxxxxx) and SUBAUTH attributes, and/or the SOURCE(xxxxxxxx) attribute, there is NO FINDING. d) If the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute is not specified for any restricted logonids, this is a FINDING.

Check Text ( C-242r1_chk )

a) Refer to the following report produced by the ACF2 Data Collection:

- ACF2CMDS.RPT(ATTRESTR)

Automated Analysis
Refer to the following report produced by the ACF2 Data Collection Checklist:

- PDI(ACF0580)

b) If the logonids that are associated with batch jobs have the RESTRICT attribute, then the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified.

c) If all restricted logonids have the PGM(xxxxxxxx) and SUBAUTH attributes, and/or the SOURCE(xxxxxxxx) attribute, there is NO FINDING.

d) If the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute is not specified for any restricted logonids, this is a FINDING.

Fix Text (F-27330r1_fix)
Ensure associated LOGONIDs exist for all batch jobs and restrict access to required resources only. All batch jobs scheduled via an automation process will use the //*LOGONID xxxxxxxx card in the JCL stream to identify the userid. Use restricted logonids with the following parameter coded: RESTRICT One or both of the following will also be specified: PGM(xxxxxxxx) and SUBAUTH SOURCE(xxxxxxxx) The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for batch processing will not be used. The use of USER= can also be used in the jobcard to identify the userid to be used for a job's processing.

Fix Text (F-27330r1_fix)

Ensure associated LOGONIDs exist for all batch jobs and restrict access to required resources only.

All batch jobs scheduled via an automation process will use the //*LOGONID xxxxxxxx card in the JCL stream to identify the userid. Use restricted logonids with the following parameter coded:

RESTRICT

One or both of the following will also be specified:

PGM(xxxxxxxx) and SUBAUTH
SOURCE(xxxxxxxx)

The use of default IDs prevents the identification of tasks with individual users as mandated by policy, and prevents adequate accountability. Default IDs for batch processing will not be used.

The use of USER= can also be used in the jobcard to identify the userid to be used for a job's processing.