STIG ID - BACF0037: Authorize Restricted Logonids Associated with Batch Job Processing
Authorize logonids associated with batch job processing to log jobs.
Severity: 2 - Medium
Unauthorized jobs can be introduced into your system that can compromise the confidentiality, integrity, and availability of the operating system. The use of default logonids for batch processing prevents identification of tasks and adequate accountability and is not recommended.
ACF2gives you the ability to create restricted logonids with specific attributes for use with batch processing.
Your organization will ensure that the logonid associated with batch job processing is authorized and able to log jobs.
This STIG article shows how to assign attributes to restricted logonids associated with batch job processing.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List the logonid record to determine if the following field values are defined:
If logonids that are associated with batch jobs have the RESTRICT attribute, the logonids must also have the PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute specified.SET LID LID LIST USER01 USER01 XXX USER01PRIVILEGES RESTRICT...RESTRICTIONS PREFIX(... LIDuser01)In this example, the PGM, SUBAUTH, and SOURCE attributes are not defined to the suggested guideline. These attributes are required on a restricted batch processing logonid.
- PGM(program)Specifies a one- to eight-character program name or a mask. The specified program must be used to submit jobs for this logonid. Proper use of this program pathing facility requires that this logonid be defined with the RESTRICT attribute.
- RESTRICT|NORESTRICTSpecifies that a logonid is for product use only. A restricted logonid does not require a password for user verfication.ACF2logs all jobs submitted by restricted logonids.Default: NORESTRICT
- SUBAUTH|NOSUBAUTHIndicates that jobs that specify this logonid can be submitted only through APF-authorized programs.Default: NOSUBAUTH
- SOURCE(sourceid)Specifies the one- to eight-character logical or physical source name or source group name from which a user must access the system.
- If restricted logonids have the PGM(xxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attribute,your organization does not have an audit finding.
- If PGM(xxxxxxxx) and SUBAUTH attributes, or the SOURCE(xxxxxxxx) attributes are not specified for a restricted logonid,your organization has an audit finding. See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonid attributes.
Follow these steps:
- Change the logonid to include the PGM(xxxxxxxx) and SUBAUTH attributes, which are required for batch job processing:SET LID LID CHANGE USER01 PGM(xxxxxxxx) SUBAUTH LID
- Verify the logonid was changed:SET LID LID LIST USER01 USER01 XXXUSER01PRIVILEGESRESTRICT PGM(... LIDxxxxxxxx) SUBAUTH
The logonid associated with batch job processing is now authorized and jobs will be logged.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)