STIG ID - BACF0037: Authorize Restricted Logonids Associated with Batch Job Processing

Authorize logonids associated with batch job processing to log jobs.
Severity
: 2 - Medium
Unauthorized jobs can be introduced into your system that can compromise the confidentiality, integrity, and availability of the operating system. The use of default logonids for batch processing prevents identification of tasks and adequate accountability and is not recommended.
ACF2
gives you the ability to create restricted logonids with specific attributes for use with batch processing.
Your organization will ensure that the logonid associated with batch job processing is authorized and able to log jobs.
This STIG article shows how to assign attributes to restricted logonids associated with batch job processing.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. List the logonid record to determine if the following field values are defined:
    • RESTRICT
    • SUBAUTH
    • PGM(
      xxxxxxxx
      )
    • SOURCE(
      xxxxxxxx
      )
    If logonids that are associated with batch jobs have the RESTRICT attribute, the logonids must also have the PGM(
    xxxxxxxx
    ) and SUBAUTH attributes, or the SOURCE(
    xxxxxxxx
    ) attribute specified.
    SET LID LID LIST USER01 USER01 XXX USER01
    PRIVILEGES RESTRICT
    ...
    RESTRICTIONS PREFIX(
    user01
    )
    ... LID
    In this example, the PGM, SUBAUTH, and SOURCE attributes are not defined to the suggested guideline. These attributes are required on a restricted batch processing logonid.
    • PGM(
      program
      )
      Specifies a one- to eight-character program name or a mask. The specified program must be used to submit jobs for this logonid. Proper use of this program pathing facility requires that this logonid be defined with the RESTRICT attribute.
    • RESTRICT|
      NORESTRICT
      Specifies that a logonid is for product use only. A restricted logonid does not require a password for user verfication.
      ACF2
      logs all jobs submitted by restricted logonids.
      Default
      : NORESTRICT
    • SUBAUTH|
      NOSUBAUTH
      Indicates that jobs that specify this logonid can be submitted only through APF-authorized programs.
      Default
      : NOSUBAUTH
    • SOURCE(
      sourceid
      )
      Specifies the one- to eight-character logical or physical source name or source group name from which a user must access the system.
  2. If restricted logonids have the PGM(
    xxxxxxx
    ) and SUBAUTH attributes, or the SOURCE(
    xxxxxxxx
    ) attribute,
    your organization does not have an audit finding
    .
  3. If PGM(
    xxxxxxxx
    ) and SUBAUTH attributes, or the SOURCE(
    xxxxxxxx
    ) attributes are not specified for a restricted logonid,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) is the only role that should have access to change the logonid attributes.
Follow these steps
:
  1. Change the logonid to include the PGM(
    xxxxxxxx
    ) and SUBAUTH attributes, which are required for batch job processing:
    SET LID LID CHANGE USER01 PGM(
    xxxxxxxx
    ) SUBAUTH LID
  2. Verify the logonid was changed:
    SET LID LID LIST USER01 USER01 XXX
    USER01
    PRIVILEGES
    RESTRICT PGM(
    xxxxxxxx
    ) SUBAUTH
    ... LID
The logonid associated with batch job processing is now authorized and jobs will be logged.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-002145
CCI
:
CCI-002145
Published Date
:
2013-06-24
Definition
:
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)