How to secure my started tasks?

Document ID : KB000012693
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

We are in the process of a security audit and were asked if the started tasks for ENF require the following attributes:

NON-CNCL

UID(0)

 

 

Question:

Do I have to add NON-CNCL and UID(0) to my ENF started task?

Environment:
COMMON SERVICES R14.1 S1401 - ACF2 security product -
Answer:


1. The NON-CNCL attribute is never required for a started tasks, however some sites will give NON-CNCL to 'system' started tasks
that they feel are trusted rather than writing rules however the best practice would be to not use NON-CNCL and write rules.


2. Does ENF require UID(0):

If you are securing USS files (HFS/ZFS) with CA TOP SECRET (ENF/USS Interface), the security ID associated with the ENF started task requires:

A superuser ID (UID 0), or the permission to the IBM Facility resource BPX.SUPERUSER.
a valid group ID (GID), home directory, and shell program.

He also needs the permission to the IBM Facility resource BPX.DAEMON, if this resource is defined in the customers environment.

ENF doesn't require UID(0): NO (if not using ENFUSS), then:

The ID associated with the ENF started task must have a valid security OMVS segment defined:

This generally consists of a valid group ID (GID), home directory, and shell program.

The same would apply to ACF2 security product, in fact, UID (0) is optional.