Documentation - V-223755

Title

IBM z/OS surrogate users must be controlled in accordance with proper security requirements.

Description

<VulnDiscussion>To mitigate the risk of unauthorized access to sensitive information by entities that have been issued certificates by DoD-approved PKIs, all DoD systems (e.g., web servers and web portals) must be properly configured to incorporate access control methods that do not rely solely on the possession of a certificate for access. Successful authentication must not automatically give an entity access to an asset or security boundary. Authorization procedures and controls must be implem...

Fix Text (Documentation Requirement)

Configure the SURROGAT as follows: For executionuserid.SUBMIT resources defined to the SURROGAT resource class, ensure the following items are in effect regarding surrogate controls: All executionuserid.SUBMIT resources defined to the SURROGAT resource class specify a default access of NONE. All resource access is logged; at the discretion of the ISSM/ISSO scheduling tasks may be exempted. Access authorization is restricted to scheduling tools, started tasks or other system applications required for running production jobs. Other users may have minimal access required for running production jobs with documentation properly approved and filed with the site security official (ISSM or equivalent). Consider the following recommendations when implementing security for Surrogate Users: Kee...