How to secure my started tasks?
search cancel

How to secure my started tasks?

book

Article ID: 12693

calendar_today

Updated On:

Products

COMMON SERVICES FOR Z/OS 90S SERVICES Common Services

Issue/Introduction

We are in the process of a security audit and were asked if the started tasks for ENF require the following attributes:

NON-CNCL
UID(0)

Do I have to add NON-CNCL and UID(0) to my ENF started task?

Environment

COMMON SERVICES R14.1 S1401 - ACF2 security product -

Resolution


1. The NON-CNCL attribute is never required for a started tasks, however some sites will give NON-CNCL to 'system' started tasks
that they feel are trusted rather than writing rules however the best practice would be to not use NON-CNCL and write rules.


2. Does ENF require UID(0):

If you are securing USS files (HFS/ZFS) with CA TOP SECRET (ENF/USS Interface), the security ID associated with the ENF started task requires:

A superuser ID (UID 0), or the permission to the IBM Facility resource BPX.SUPERUSER.
a valid group ID (GID), home directory, and shell program.

He also needs the permission to the IBM Facility resource BPX.DAEMON, if this resource is defined in the customers environment.

ENF doesn't require UID(0): NO (if not using ENFUSS), then:

The ID associated with the ENF started task must have a valid security OMVS segment defined:

This generally consists of a valid group ID (GID), home directory, and shell program.

The same would apply to ACF2 security product, in fact, UID (0) is optional.