Check: ZJES0052
zOS RACF STIG:
ZJES0052
(in versions v6 r43 through v6 r30)
Title
JES2 system commands are not protected in accordance with security requirements. (Cat II impact)
Discussion
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(OPERCMDS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If the JES2.** resource is defined to the OPERCMDS class with a default access of NONE and all access is logged, there is NO FINDING. c) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. d) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. e) If either (b), (c), or (d) above is untrue for any JES2 system command resource, this is a FINDING.
Fix Text
Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. To control access to JES2 system commands, apply the following recommendations when implementing security: 1) Define the JES2.** resource in the OPERCMDS class with a default access of NONE and all access is logged. 2) Define the JES2 system commands as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. 3) Define the JES2 system commands with proper logging as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum. Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here: RDEF OPERCMDS JES2.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') RDEF OPERCMDS JES2.<command>.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') PE JES2.<command>.** CL(OPERCMDS) ID(<syspaudt>) ACC(U) SETR RACL(OPERCMDS) REF
Additional Identifiers
Rule ID: SV-17410r2_rule
Vulnerability ID: V-6928
Group Title: ZJES0052
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-002234 |
The information system audits the execution of privileged functions. |