Check: ZJES0021
zOS RACF STIG:
ZJES0021
(in versions v6 r43 through v6 r30)
Title
JES2 input sources are not controlled in accordance with theh proper security requirements. (Cat II impact)
Discussion
JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection: - SENSITVE.RPT(JESINPUT) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) b) Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the report. NOTE 2: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the report. NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the report. NOTE 4: RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the report. c) Ensure the following items are in effect: 1) The JESINPUT resource class is active. 2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class. 3) UACC(NONE) is specified for all resources. NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. No guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources. d) If all of the items mentioned in (c) are true, there is NO FINDING. e) If any of the items mentioned in (c) is untrue, this is a FINDING.
Fix Text
Review the following resources in the JESINPUT resource class: INTRDR (internal reader for batch jobs) nodename (NJE node) OFFn.* (spool offload receiver) Rnnnn (RJE workstation) RDRnn (local card reader) STCINRDR (internal reader for started tasks) TSUINRDR (internal reader for TSO logons) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined. NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 2: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report. NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for RMT( in the report. NOTE 4: RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for RDR( in the report. c) Ensure the following items are in effect: 1) The JESINPUT resource class is active. 2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class. 3) UACC(NONE) is specified for all resources. NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. Currently, there is no guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources. Examples: setr classact(jesinput) setr generic(jesinput) rdef jesinput intrdr uacc(none) owner(admin) audit(failures(read) success(update)) data('Per SRR PDI ZJES0021') pe intrdr cl(jesinput) id(<syspaudt>) pe intrdr cl(jesinput) id(*) /* all users */
Additional Identifiers
Rule ID: SV-7323r2_rule
Vulnerability ID: V-6919
Group Title: ZJES0021
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001310 |
The information system checks the validity of organization-defined inputs. |