Title

JES2 input sources are not controlled in accordance with the proper security requirements. (Cat II impact)

Discussion

JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

a) Refer to the following reports produced by the ACF2 Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(JESINPUT) - ACF2CMDS.RPT(RESOURCE) – Alternate report - ACF2CMDS.RPT(ACFGSO) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) b) Review the ACFGSO report. If CLASMAP defines JESINPUT as TYPE(INP), there is NO FINDING. NOTE: If CLASMAP defines JESINPUT as anything other than TYPE(INP), replace INP below with the appropriate three letters. c) Review the following resources in the JESINPUT resource class (i.e., TYPE(INP)): INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.- (spool offload receiver) Rnnnn.- (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the JES2 parameters. NOTE 2: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the JES2 parameters. NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the JES2 parameters. NOTE 4: RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the JES2 parameters. d) Ensure the following items are in effect: 1) The CLASMAP record defines the JESINPUT resource class to TYPE(INP). 2) The resources mentioned in (b) are protected by generic and/or fully qualified rules defined to the JESINPUT resource class. 3) A default access of PREVENT is specified for all resources. NOTE: A default access of READ is allowed for input sources that are permitted to submit jobs for all users. No guidance on which input sources are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, offload, and STC input sources. e) If all of the items in (b) and (d) are true, there is NO FINDING. f) If any item in (b) or (d) is untrue, this is a FINDING.

Fix Text

The IAO will ensure that the JESINPUT resource class is defined and required resource(s) is (are) defined to the JESINPUT resource class with no access. Ensure the CLASMAP defines JESINPUT as TYPE(INP). NOTE: If CLASMAP defines JESINPUT as anything other than TYPE(INP), replace INP below with the appropriate three letters. Ensure the following resources in the JESINPUT resource class (i.e., TYPE(INP)): INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.- (spool offload receiver) OFFn.JR (spool offload job receiver) OFFn.SR (spool offload SYSOUT receiver) Rnnnn.RDm (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE 1: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the JES2 parameters. NOTE 2: OFFn, where n is the number of the offload receiver. Determine the numbers by searching for OFF( in the JES2 parameters. NOTE 3: Rnnnn.RDm, where nnnn is the number of the remote workstation and m is the number of the reader. Determine the numbers by searching for .RD in the JES2 parameters. NOTE 4: RDRnn, where nn is the number of the reader. Determine the numbers by searching for RDR( in the JES2 parameters. Ensure the following items are in effect: 1) The CLASMAP record defines the JESINPUT resource class. Example: SHOW CLASMAP 2) The resources mentioned in (b) are protected by generic and/or fully qualified rules defined to the JESINPUT resource class. 3) A default access of PREVENT is specified for all resources. NOTE: A default access of READ is allowed for input sources that are permitted to submit jobs for all users. Currently, there is no guidance on which input sources are appropriate for a default access of READ. However, common sense should prevail during the analysis. For example, a default access of READ would typically be inappropriate for RJE, NJE, offload, and STC input sources. Examples: $KEY(STCINRDR) TYPE(INP) - UID(*) PREVENT $KEY(TSUINRDR) TYPE(INP) - UID(*) PREVENT $KEY(RDR*****) TYPE(INP) $MEMBER(RDR#####) - UID(*) PREVENT $KEY(OFF*****) TYPE(INP) $MEMBER(OFF#####) JR UID(operaudt) SERVICE(READ) JR UID(*) PREVENT SR UID(operaudt) SERVICE(READ) SR UID(*) PREVENT - UID(operaudt) SERVICE(READ) - UID(*) PREVENT

Additional Identifiers

Rule ID: SV-7220r2_rule

Vulnerability ID: V-6919

Group Title: ZJES0021

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.