Check: ZJES0011
zOS RACF STIG:
ZJES0011
(in versions v6 r43 through v6 r30)
Title
RJE workstations and NJE nodes are not controlled in accordance with security requirements. (Cat II impact)
Discussion
JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
Check Content
RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) b) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. d) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. e) If all of the above are true, there is NO FINDING. f) If any of the above are untrue, this is a FINDING.
Fix Text
RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. b) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote. Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation: AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN) AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED PE RMT777 CL(JESINPUT) ID(RMT777) c) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. A command example is shown here: RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')
Additional Identifiers
Rule ID: SV-7314r2_rule
Vulnerability ID: V-6916
Group Title: ZJES0011
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |