Check: ZJES0014
zOS RACF STIG:
ZJES0014
(in versions v6 r43 through v6 r30)
Title
RJE workstations and NJE nodes are not controlled in accordance with STIG requirements. (Cat II impact)
Discussion
JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
a) Refer to the following report produced by the OS/390 Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - SENSITVE.RPT(FACILITY) b) Review the following resource definitions in the FACILITY resource class: NJE.* RJE.* NJE.nodename RJE.workstation NOTE 1: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 2: Workstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) If all JES2 defined NJE nodes and RJE workstations have a profile defined in the FACILITY resource class, there is NO FINDING. NOTE: NJE.* and RJE.* profiles will force userid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles. d) If any JES2 defined NJE node or RJE workstation does not have a profile defined in the FACILITY resource class, this is a FINDING.
Fix Text
Ensure associated USERIDs exist for all RJE/NJE sources and review the authorizations for these remote facilities. Develop a plan of action and implement the changes as required by the OS/390 STIG.
Additional Identifiers
Rule ID: SV-7318r2_rule
Vulnerability ID: V-6918
Group Title: ZJES0014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |