UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Started Tasks are improperly defined to RACF.


Overview

Finding ID Version Rule ID IA Controls Severity
V-289 RACF0650 SV-289r2_rule DCCS-1 DCCS-2 Medium
Description
Started procedures have system generated job statements that do not contain the user, group, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID. If a USERID is not associated with the started procedure, the started procedure will not have access to the resources. If the started procedure is associated with an incorrect user or a user with higher than necessary authority then a potential vulnerability exists.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-19603r1_chk )
I. STC Group IDs

a) Refer to the following reports produced by the RACF Data Collection:

- DSMON.RPT(RACSPT)
- RACFCMDS.RPT(LISTGRP)

Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system.

b) Ensure the following items are in effect:

1) All started task userids are connected to a valid STC group ID.
2) Only userids associated with STCs are connected to STC group IDs.
3) All STC userids are defined with the PROTECTED attribute.

c) If (b) above is true, there is NO FINDING.

d) If (b) above is untrue, this is a FINDING.

II. STC Default Profile

a) Ensure the following items are in effect:

1) A generic catch all profile of ** is defined to the STARTED resource class.
2) The STC group associated with the ** profile is not granted any explicit data set or resource access authorizations.
3) The STC userid associated with the ** profile is not granted any explicit dataset or resource access authorizations and is defined with the RESTRICTED attribute.

NOTE: Execute the JCL in CNTL(IRRUT100) using the STC group associated with the ** profile as SYSIN input. This report lists all occurrences of this group within the RACF database, including data set and resource access lists.

b) If (a) above is true, there is NO FINDING.

c) If (a) above is untrue, this is a FINDING.

III. ICHRIN03 Entries

a) Verify that the ICHRIN03 started procedures table is maintained to support recovery efforts in the event the STARTED resource class is deactivated or critical STC profiles are deleted. Ensure that STCs critical to support this recovery effort (e.g., JES2, VTAM, TSO, etc.) are maintained in ICHRIN03 to reflect the current STARTED resource class profiles.

b) If (a) above is true, there is NO FINDING.

c) If (a) above is untrue, this is a FINDING.
Fix Text (F-17988r1_fix)
Review all STCs for compliance to Sections I, II, and III.

Corrections can be made as follows. Note that the commands listed below are samples.

Section I

1. Connect a STC userid to a STC group. Sample command: CO GROUP() OWNER()
2. If any non-STC userids are connected to a STC group, then should be removed. Sample command: RE GROUP()
3. Set up STC userids with the PROTECTED attribute. Sample command: ALU NOPASSWORD NOOIDCARD

Section II

1. Define a generic catch all profile. Sample command: RDEF STARTED ** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) STDATA(USER(STCDFLT) GROUP(#STCDFLT) TRACE(YES))
2. Run IRRUT100 against the group specified in the STARTED class ** profile. Remove this group from any access lists. Sample command: PE CL() ID(<#STCDFLT or altername group name>) DEL.
3. Set up the userid as Restricted with the command: ALU RESTRICTED. Remove from any and all access lists using the same steps as found in the previous item.

Section III

The IBM zOS Security Server RACF library documents procedures for updating ICHRIN03 (The RACF Started Procedures Table). With each SSOPAC release, the SSO includes a ICHRIN03 table that contains entries necessary for system recovery: JES2, VTAM, TSO, and the RACF subsystem.

Evaluate the impact of the change and develop a plan of action to implement the changes as required.