An error occurred:

Check: ZJES0014

zOS TSS STIG: ZJES0014 (in versions v6 r43 through v6 r30)

Title

RJE workstations and NJE nodes are not controlled in accordance with STIG requirements. (Cat II impact)

Discussion

JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check Content

Remote Resource Authorizations a) Refer to the following report produced by the OS/390 Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOIBMF) b) Review the following resource definitions in the IBMFAC resource class: NJE. RJE. NJE.nodename RJE.workstation NOTE 1: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report. NOTE 2: Workstation is RMTnnnn, where nnnn is the number on the RMT statement. Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) If all JES2 defined NJE nodes and RJE workstations are owned in the IBMFAC class, there is NO FINDING. NOTE: NJE. and RJE. definitions will force logonid and password protection of all NJE and RJE connections respectively. This method is acceptable in lieu of using discrete profiles. d) If any JES2 defined NJE node or RJE workstation is not owned in the IBMFAC class, this is a FINDING.

Fix Text

Ensure associated USERIDs exist for all RJE/NJE sources and review the authorizations for these remote facilities. Develop a plan of action and implement the changes as required by the OS/390 STIG.

Additional Identifiers

Rule ID: SV-7320r2_rule

Vulnerability ID: V-6918

Group Title: ZJES0014

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000213

Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-3

Access Enforcement