Started tasks must be properly defined to Top Secret.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-230	TSS0820	SV-230r3_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
Started procedures have system generated job statements that do not contain the user, or password statements. To enable the started procedure to access the same protected resources that users and groups access, started procedures must have an associated USERID/ACID. If a USERID/ACID is not associated with the started procedure, the started procedure will not have access to the resources.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-20018r2_chk )
Refer to the following reports produced by the TSS Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(#STC) Automated Analysis Refer to the following report produced by the TSS Data Collection: - PDI(TSS0820) Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system. Ensure that each Started Task ACID is properly defined. If the following guidance is true, this is not a finding. ___ All started tasks are assigned a unique user ACID or STC ACIDs will be unique per product and function if supported by vendor documentation. ___ Every ACID with the STC Facility has a corresponding entry defined in the STC record. ___ Every ACID defined in the STC record has a corresponding user ACID defined to TSS with the STC Facility. ___ All STC ACIDs will have a password generated in accordance with STIG requirements. ___ All STC ACIDs will be sourced to the internal reader (e.g., ADD(stc-acid) SOURCE(INTRDR). ___ The STC ACIDs may have the NOSUSPEND attribute.

Check Text ( C-20018r2_chk )

Refer to the following reports produced by the TSS Data Collection:

- TSSCMDS.RPT(@ACIDS)
- TSSCMDS.RPT(#STC)

Automated Analysis
Refer to the following report produced by the TSS Data Collection:

- PDI(TSS0820)

Refer to a list of all started tasks (STCs) and associated userids with a brief description on the system.

Ensure that each Started Task ACID is properly defined. If the following guidance is true, this is not a finding.

___ All started tasks are assigned a unique user ACID or STC ACIDs will be unique per product and function if supported by vendor documentation.

___ Every ACID with the STC Facility has a corresponding entry defined in the STC record.

___ Every ACID defined in the STC record has a corresponding user ACID defined to TSS with the STC Facility.

___ All STC ACIDs will have a password generated in accordance with STIG requirements.

___ All STC ACIDs will be sourced to the internal reader (e.g., ADD(stc-acid) SOURCE(INTRDR).

___ The STC ACIDs may have the NOSUSPEND attribute.

Fix Text (F-18161r3_fix)
Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified: All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job. TSS ADD(stc-acid) FACILITY(STC BATCH) Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID. TSS REP(stc-acid) PASSWORD(xxxxxxxx,0) Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started. All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs. TSS ADD(stc-acid) SOURCE(INTRDR) Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access. TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid) Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations. Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified: All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job. TSS ADD(stc-acid) FACILITY(STC BATCH) Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID. TSS REP(stc-acid) PASSWORD(xxxxxxxx,0) Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started. All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs. TSS ADD(stc-acid) SOURCE(INTRDR) Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access. TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid) Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations.

Fix Text (F-18161r3_fix)

Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified:

All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job.

TSS ADD(stc-acid) FACILITY(STC BATCH)

Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID.

TSS REP(stc-acid) PASSWORD(xxxxxxxx,0)

Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started.

All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs.

TSS ADD(stc-acid) SOURCE(INTRDR)

Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access.

TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid)

Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations. Review the STC record and all associated ACIDs. Ensure STCs and associated ACIDs are defined to the STC record. Restrict access to required resources only. Evaluate the impact of correcting the deficiency. Ensure TSS started task table record contains an entry for each Started Proc that maps the proc to a unique userid, or STC ACIDs will be unique per product and function if supported by vendor documentation. Develop a plan of action and implement the changes as specified:

All STC ACIDs will have the STC facility. An STC also may be granted the FAC(BATCH) if it requires the capability to submit batch jobs to the internal reader. It should be noted, however, that this also will allow the STC itself to be executed as a batch job.

TSS ADD(stc-acid) FACILITY(STC BATCH)

Each STC ACID will be defined with a password following the password requirement guidelines. The only exception is that these passwords will be defined as non-expiring. In addition, each STC will have its own unique password. Defining a password for started tasks prevents a user from logging onto a system with the STC ACID.

TSS REP(stc-acid) PASSWORD(xxxxxxxx,0)

Ensure the OPTIONS control option specifies a value of 4 to disable password checking for STCs. Otherwise operators will be forced to supply a password when STCs are started.

All STC ACIDs will be sourced to the internal reader. This control will further protect the unauthorized use of STC ACIDs.

TSS ADD(stc-acid) SOURCE(INTRDR)

Every STC will be defined to the STC table, associated with a specific procedure, and granted minimum access.

TSS ADD(STC) PROCNAME(stc-proc) ACID(stc-acid)

Note: The STC ACIDs may have the NOSUSPEND attribute to exempt an STC ACID from suspension for excessive violations.