Check: ZJES0031
zOS RACF STIG:
ZJES0031
(in versions v6 r43 through v6 r30)
Title
JES2 output devices are not controlled in accordance with the proper security requirements. (Cat II impact)
Discussion
JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data.
Check Content
WRITER Resource Definitions a) Refer to the following reports produced by the RACF Data Collection: - SENSITVE.RPT(WRITER) - RACFCMDS.RPT(SETROPTS) - DSMON.RPT(RACCDT) - Alternate list of active resource classes Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(SUBSYS) - PARMLIB(JES2 parameters) b) Review the following resources in the WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. c) Ensure the following items are in effect: 1) The WRITER resource class is active. 2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE). 3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE). NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations. d) If all of the items mentioned in (c) are true, there is NO FINDING. e) If any item mentioned in (c) is untrue, this is a FINDING.
Fix Text
WRITER Resource Definitions Review the following resources in the WRITER resource class: JES2.** (backstop profile) JES2.LOCAL.OFFn.* (spool offload transmitter) JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter) JES2.LOCAL.OFFn.JT (spool offload job transmitter) JES2.LOCAL.PRTn (local printer) JES2.LOCAL.PUNn (local punch) JES2.NJE.nodename (NJE node) JES2.RJE.Rnnnn.PRm (remote printer) JES2.RJE.Rnnnn.PUm (remote punch) NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters. NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters. NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters. NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters. NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters. c) Ensure the following items are in effect: 1) The WRITER resource class is active. 2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE). 3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE). NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations. Examples: setr classact(writer) setr gencmd(writer) generic(writer) setr raclist(writer) RDEF WRITER JES2.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.** owner(admin) AUDIT(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.JT owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.OFF*.ST owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PRT* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.LOCAL.PUN* owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.NJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') RDEF WRITER JES2.RJE.** owner(admin) audit(ALL) UACC(NONE) - data('Reference SRR PDI ZJES0031') pe JES2.** cl(writer) id(<syspaudt>) pe JES2.LOCAL.** cl(writer) id(<syspaudt>) pe JES2.LOCAL.OFF*.JT cl(writer) id(<syspaudt>) pe JES2.LOCAL.OFF*.ST cl(writer) id(<syspaudt>) pe JES2.LOCAL.PRT* cl(writer) id(<syspaudt>) pe JES2.LOCAL.PUN* cl(writer) id(<syspaudt>) pe JES2.NJE.** cl(writer) id(<syspaudt>) pe JES2.RJE.** cl(writer) id(<syspaudt>) setr racl(writer) Ref
Additional Identifiers
Rule ID: SV-7327r2_rule
Vulnerability ID: V-6921
Group Title: ZJES0031
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |