IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

An XCCDF Rule

Description

<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implemented to ensure each authenticated entity also has a validated and current authorization. Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. Information systems use access control policies and enforcement mechanisms to implement this requirement. Access control policies include: identity-based policies, role-based policies, and attribute-based policies. Access enforcement mechanisms include: access control lists, access control matrices, and cryptography. These policies and mechanisms must be employed by the application to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, and domains) in the information system. Satisfies: SRG-OS-000080-GPOS-00048, SRG-OS-000326-GPOS-00126</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-223996r958472_rule
Severity: Medium
References: CCI-000213 CCI-002233
Updated: 17 days ago

For each ACID identified in the XA ACID entries, ensure the following items are in effect regarding ACID permissions:

-ACID permission (XA ACID) is logged (ACTION = AUDIT), at the discretion of the ISSM/ISSO scheduling tasks may be exempted from logging.
-ACID permission (XA ACID) is logged (ACTION = AUDIT), for Privileged users (MSCA, SCA, DCA, VCA, ZCA).
-Access authorization is restricted to scheduling tools, started tasks, or other system applications required for running production jobs.
Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). 

Consider the following recommendations when implementing security for Cross-Authorized ACIDs:

Keep ACID cross authorization of ACIDs outside of those granted to the scheduling software to a minimum number of individuals.

The simplest configuration is to have no ACID Cross Authorization except for the appropriate Scheduling task/software for production scheduling purposes as documented.

Temporary Cross Authorization of the production batch ACID to the scheduling tasks may be allowed for a period for testing by the appropriate specific production Support Team members. Authorization, eligibility, and test period is determined by site policy.

Access authorization is restricted to the minimum number of personnel required for running production jobs. However, ACID Cross Authorization usage must not become the default for all jobs submitted by individual userids (i.e., system programmer will use their assigned individual userids for software installation, duties, whereas a Cross-Authorized ACID would normally be utilized for scheduled batch production only and as such must normally be limited to the scheduling task such as CONTROLM) and not granted as a normal daily basis to individual users.

Grant access to the user ACID for each cross-authorized ACID required:

For Example:
TSS PERMIT(ACID) ACID(Cross-Authorized ACID) ACTION(AUDIT) 

For production ACIDs being used by CONTROLM:
TSS PER(CONTROLM)ACID(production user ACID)

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

Description

Remediation - Manual Procedure