Surrogate users or Cross-Authorized ACIDs must be controlled in accordance with the proper requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-54	ZJES0060	SV-7347r5_rule		Medium

Description
Surrogate users/Cross-Authorized ACIDs have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users/Cross-Authorized ACIDs run with the identity of the execution user. Failure to properly control surrogate users/Cross-Authorized ACIDs could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Description

Surrogate users/Cross-Authorized ACIDs have the ability to submit jobs on behalf of another user (the execution user) without specifying the execution user's password. Jobs submitted by surrogate users/Cross-Authorized ACIDs run with the identity of the execution user. Failure to properly control surrogate users/Cross-Authorized ACIDs could result in unauthorized personnel accessing sensitive resources. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-3367r2_chk )
Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection: - TSSCMDS.RPT(@ACIDS) - TSSCMDS.RPT(@ALL) If no XA ACID entries exist in the above reports, this is not applicable. For each ACID identified in the XA ACID entries, if the following items are true regarding ACID permissions this is not a finding. ___ ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH; at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging. ___ Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. ___ Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Check Text ( C-3367r2_chk )

Refer to the following reports produced by the TSS Data Collection and Data Set and Resource Data Collection:

- TSSCMDS.RPT(@ACIDS)
- TSSCMDS.RPT(@ALL)

If no XA ACID entries exist in the above reports, this is not applicable.

For each ACID identified in the XA ACID entries, if the following items are true regarding ACID permissions this is not a finding.

___ ACID permission (XA ACID) is logged (ACTION = AUDIT), only for Privileged USERIDS (MASTER, SCA, DCA, VCA, ZCA) if they are XAUTH; at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.

___ Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs.

___ Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Fix Text (F-70745r5_fix)
For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions: ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging. ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA). Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Cross-Authorized ACIDs: Keep ACID cross authorization of ACIDs outside of those granted to the scheduling software to a minimum number of individuals. The simplest configuration is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented. Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility and test period is determined by site policy. Access authorization is restricted to the minimum number of personnel required for running production jobs. However, ACID Cross Authorization usage shall not become the default for all jobs submitted by individual userids (i.e., system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross-Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.. Grant access to the user ACID for each cross-authorized ACID required: For Example: TSS PERMIT(ACID) ACID(Cross-Authorized ACID) ACTION(AUDIT) For production ACIDs being used by CONTROLM: TSS PER(CONTROLM)ACID(production user ACID)

Fix Text (F-70745r5_fix)

For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions:

ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.

ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA).

Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs.

Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent).

Consider the following recommendations when implementing security for Cross-Authorized ACIDs:

Keep ACID cross authorization of ACIDs outside of those granted to the scheduling software to a minimum number of individuals.

The simplest configuration is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented.

Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility and test period is determined by site policy.

Access authorization is restricted to the minimum number of personnel required for running production jobs. However, ACID Cross Authorization usage shall not become the default for all jobs submitted by individual userids (i.e., system programmer shall use their assigned individual userids for software installation, duties, whereas a Cross-Authorized ACID would normally be utilized for scheduled batch production only and as such shall normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users..

Grant access to the user ACID for each cross-authorized ACID required:

For Example:

TSS PERMIT(ACID) ACID(Cross-Authorized ACID) ACTION(AUDIT)

For production ACIDs being used by CONTROLM:

TSS PER(CONTROLM)ACID(production user ACID)