JES2 system commands are not protected in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6928	ZJES0052	SV-17410r2_rule	DCCS-1 DCCS-2 ECCD-1 ECCD-2	Medium

Description
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS RACF STIG	2015-03-27

Details

Check Text ( C-20875r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(OPERCMDS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If the JES2.** resource is defined to the OPERCMDS class with a default access of NONE and all access is logged, there is NO FINDING. c) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. d) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. e) If either (b), (c), or (d) above is untrue for any JES2 system command resource, this is a FINDING.

Check Text ( C-20875r1_chk )

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(OPERCMDS)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZJES0052)

b) If the JES2.** resource is defined to the OPERCMDS class with a default access of NONE and all access is logged, there is NO FINDING.

c) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING.

NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.

d) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING.

e) If either (b), (c), or (d) above is untrue for any JES2 system command resource, this is a FINDING.

Fix Text (F-18834r1_fix)
Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL. To control access to JES2 system commands, apply the following recommendations when implementing security: 1) Define the JES2. resource in the OPERCMDS class with a default access of NONE and all access is logged. 2) Define the JES2 system commands as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users). NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. 3) Define the JES2 system commands with proper logging as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum. Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here: RDEF OPERCMDS JES2. UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') RDEF OPERCMDS JES2.. UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052') PE JES2.. CL(OPERCMDS) ID() ACC(U) SETR RACL(OPERCMDS) REF

Fix Text (F-18834r1_fix)

Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators.

Some commands are particularly dangerous and should only be used when less drastic options have been exhausted. Misuse of these commands can create a situation in which the only recovery is an IPL.

To control access to JES2 system commands, apply the following recommendations when
implementing security:

1) Define the JES2.** resource in the OPERCMDS class with a default access of NONE and all access is logged.

2) Define the JES2 system commands as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).

NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.

3) Define the JES2 system commands with proper logging as specified in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum.

Build a command file based on the referenced JES2 Command Table. A sample of the commands in the command file is provided here:

RDEF OPERCMDS JES2.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052')

RDEF OPERCMDS JES2..** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('REQUIRED BY SRR PDI ZJES0052')
PE JES2..** CL(OPERCMDS) ID() ACC(U)

SETR RACL(OPERCMDS) REF