JES2 output devices must be properly controlled for Classified Systems.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6922	ZJES0032	SV-7223r2_rule	DCCS-1 DCCS-2	Medium

Description
JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data on a classified System..

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-39025r1_chk )
Refer to the following report produced by the Data Set and Resource Data Collection: - Classification of System ACF2 - SENSITVE.RPT(WRITER) RACF - SENSITVE.RPT(WRITER) TSS - SENSITVE.RPT(WHOHWTR) If access authorization for resources defined to the WRITER resource class are restricted to the operators and system programming personnel, on a classified system this is not a finding. NOTE: Common sense should prevail during the analysis. For example, access to the offload output destinations should be limited to only systems personnel (e.g., operations staff/system programmers) on a classified system.

Check Text ( C-39025r1_chk )

Refer to the following report produced by the Data Set and Resource Data Collection:

- Classification of System
ACF2
- SENSITVE.RPT(WRITER)
RACF
- SENSITVE.RPT(WRITER)
TSS
- SENSITVE.RPT(WHOHWTR)

If access authorization for resources defined to the WRITER resource class are restricted to the operators and system programming personnel, on a classified system this is not a finding.

NOTE: Common sense should prevail during the analysis. For example, access to the offload output destinations should be limited to only systems personnel (e.g., operations staff/system programmers) on a classified system.

Fix Text (F-34116r1_fix)
Verify with the IAO to see that access authorization for resources defined to the WRITER resource class is restricted to the operators and system programmers on a classified system only. Define resources in the ACP’s respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.

Fix Text (F-34116r1_fix)

Verify with the IAO to see that access authorization for resources defined to the WRITER resource class is restricted to the operators and system programmers on a classified system only.

Define resources in the ACP’s respective WRITER class for each of the following output destinations:

JES2.LOCAL.devicename
JES2.LOCAL.OFFn.*
JES2.LOCAL.OFFn.JT
JES2.LOCAL.OFFn.ST
JES2.LOCAL.PRTn
JES2.LOCAL.PUNn
JES2.NJE.nodename
JES2.RJE.devicename

The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.