Title

JESSPOOL resources are not protected in accordance with security requirements. (Cat II impact)

Discussion

JES2 spool resources include all SYSOUT, SYSLOG, JESTRACE, and JESNEWS data sets. Failure to properly control JES2 spool resources could result in unauthorized personnel accessing job output, system activity logs, and trace data containing userid and password information. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

JESSPOOL Resource Controls a) Refer to the following reports produced by the ACF2 Data Collection: - SENSITVE.RPT(JESSPOOL) - ACF2CMDS.RPT(RESOURCE) – Alternate report - ACF2CMDS.RPT(ACFGSO) b) Review the ACFGSO report. If CLASMAP defines JESSPOOL as TYPE(SPL), there is NO FINDING. NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) c) Ensure the following items are in effect: 1) The CLASMAP record defines the JESSPOOL resource class. 2) The following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT: localnodeid.- localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG NOTE 1: These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.- NOTE 2: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. 3) The following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ: localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS jesid The logonid associated with your JES2 system. NOTE: This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example: localnodeid.jesid.$JESNEWS.-.-.JESNEWS d) If all of the items in (b) and (c) are true, there is NO FINDING. e) If any item in (b) or (c) is untrue, this is a FINDING.

Fix Text

Ensure that the CLASMAP defines JESSPOOL as TYPE(SPL). NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters. Ensure the following items are in effect: The CLASMAP record defines the JESSPOOL resource class. Example: SHOW CLASMAP The following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT: localnodeid.- localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG Example: $KEY(ocalnodeid) TYPE(SPL) - UID(*) PREVENT NOTE 1: These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example: localnodeid.JES2.-.-.-.JESTRACE localnodeid.+MASTER+.-.-.-.- NOTE 2: Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid. The following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ: localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS jesid The logonid associated with your JES2 system. NOTE: This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example: localnodeid.jesid.$JESNEWS.-.-.JESNEWS

Additional Identifiers

Rule ID: SV-7224r2_rule

Vulnerability ID: V-6923

Group Title: ZJES0041

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.