Documentation - V-223536

Title

IBM z/OS Surrogate users must be controlled in accordance with proper security requirements.

Description

<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implem...

Fix Text (Documentation Requirement)

All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default of no access; all resource access is logged (at the discretion of the ISSM/ISSO scheduling tasks may be exempted) and access authorization is restricted to the minimum number of personnel required for running production jobs. Ensure the CLASMAP defines SURROGAT as TYPE(SUR). NOTE: If CLASMAP defines SURROGAT as anything other than TYPE(SUR), replace SUR below with the appropriate three letters. Ensure the following items are in effect: All executionlogonid.SUBMIT resources defined to the SURROGAT class specify a default access of PREVENT. All resource access is logged except for scheduling tasks. Access authorization is restricted to scheduling tools, started tasks, or other system applicati...