STIG ID - BACF0040: Implement MUSASS Started Task Control and Accountability
Assign JOBFROM attribute to a started task logonid.
Severity: 2 - Medium
In a multiple-user single address space system (MUSASS) environment (for example, CICS or IMS), setting the JOBFROM attribute lets a MUSASS started task insert the JOBFROM control statement into each job stream submitted by the MUSASS on behalf of the user, without knowing the password. This process allows those jobs to inherit the the individual user's logonid and source information, which helps achieve MUSASS job submission control and accountability.
Your organization will ensure that the MUSASS started task job submission control and accountability is implemented.
This STIG article shows how to assign the JOBFROM attribute to a started task logonid that has the MUSASS attribute assigned.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
- List the started task logonid records to determine if the JOBFROM attribute is assigned:SET CONTROL(GSO) LIST LIKE(STC-)ACF2displays all records with the started task defined. Typically, the number of started tasks returned is significant. For the purpose of this STIG, the following example shows one logonid, which is assigned to started taskSTC.CICS2.XXXX /STC.CICS2LAST CHANGED BY MASTERON 02/11/19-4:05 GROUP() LOGONID(USER03) STCID(CICS2)
- List each started task logonid identified to determine if the MUSASS and JOBFROM attributes are assigned:SET LID LID LIST USER03 USER03 PRIVILEGES ACCOUNT CICS DUMPAUTH IMS MUSASS STC TSO LIDIn this example, the JOBFROM attribute is not assigned to the STC logonid USER03.
- JOBFROM|NOJOBFROMSpecifies that this user can use //*JOBFROM control statements as part of job submission. Specify this field in the record for all MUSASS environments (CICS and IMS) or in a batch production environment.ACF2creates a logging record for all jobs that are submitted with the //*JOBFROM control statement. Through the ACFRPTJL report, you can use the JOBFROM parameter to product a report displaying these loggings.Default: NOJOBFROM
- If all logonids identified as a started task have the JOBFROM attribute defined,your organization does not have an audit finding.
- If any logonid identified as a started task does not have the JOBFROM attribute defined,your organization has an audit finding. See Remediate Audit Finding
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that the STC logonid includes the JOBFROM attribute.
Follow these steps:
- Change the logonid to include the JOBFROM attribute:SET LID LID CHANGE USER03 JOBFROM LID
- Verify that JOBFROM attribute was added to logonid USER03:SET LID LID LIST USER03 USER03 USER03 PRIVILEGES ACCOUNT CICS DUMPAUTH IMSJOBFROMMUSASS STC TSO ... LID
The MUSASS started task job submission control and accountability is now implemented.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
The information system enforces organization-defined circumstances and/or usage conditions for organization-defined information system accounts.
NIST: NIST SP 800-53 Revision 4 (v4): AC-2(11)