UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Surrogate users or Cross Authorized ACIDs are not controlled in accordance with the proper requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-54 ZJES0060 SV-7347r2_rule DCCS-1 DCCS-2 ECCD-1 ECCD-2 IAGA-1 Medium
Description
Surrogate users/ Cross Authorization ACIDs have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users/ Cross Authorization ACIDs run with the identity of the execution user. Failure to properly control surrogate users/ Cross Authorization ACIDs could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
STIG Date
z/OS TSS STIG 2015-06-24

Details

Check Text ( C-35144r1_chk )
Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection:

- TSSCMDS.RPT(@ACIDS)
- TSSCMDS.RPT(@ALL)

If no XA ACID entries exist in the above reports, there is NO FINDING.

For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions:

1) ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH .
2) Access authorization is restricted to the minimum number of personnel (ACCESSORID) required for running production jobs.
3) Production batch ACIDS shall be cross authorized to the scheduling task, such as CONTROLM without logging.
4) Production Batch ACIDs shall be limited to the scheduling task, temporary Cross Authorization of the production batch ACID could be allowed for a period up to 7 days for testing by the appropriate specific production Support Team members if such access is requested in writing.
5) Access authorization is restricted to the minimum number of personnel (ACCESSORID) required for running production jobs. However, ACID Cross Authorization usage shall not become the default for all jobs submitted by individual userids (i.e. system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users. Any usage of a Cross Authorized ACID as a Group Account/userid is prohibited by DoD – IA Control IAGA.
Fix Text (F-30514r1_fix)
For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions:

ACID permission (XA ACID) is logged (ACTION = AUDIT), except for/to the scheduling.

Access authorization is restricted as indicated above.

Apply the following recommendations when implementing security for Cross Authorized ACIDs:

(1) Allowing ACID Cross authorization of ACIDs outside of those granted to the scheduling software, shall be kept to a minimum number of individuals and of a temporary nature as indicated above. . Best IA Practice is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented.

(2) Grant access to the user ACID for each cross authorization of ACID:

For Example:

TSS PERMIT(ACID) ACID(Cross AuthorizedACID) ACTION (AUDIT)

For production ACIDS being used by CONTROLM:

TSS PER(CONTROLM)ACID(production user ACID)