RJE workstations and NJE nodes are not controlled in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6916	ZJES0011	SV-7314r2_rule	DCCS-1 DCCS-2	Medium

Description
JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Description

JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS RACF STIG	2019-12-12

Details

Check Text ( C-20669r1_chk )
RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) b) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. d) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. e) If all of the above are true, there is NO FINDING. f) If any of the above are untrue, this is a FINDING.

Check Text ( C-20669r1_chk )

RJE Userids

Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement.

There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls.

a) Refer to the following report produced by the z/OS Data Collection:

- PARMLIB(JES2 parameters)

Refer to the following report produced by the RACF Data Collection:
- RACFCMDS.RPT(LISTUSER)

b) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.

c) Ensure the RJE workstation userids are defined as follows:

1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement.

2) No userid segments (e.g., TSO, CICS, etc.) are defined.

3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote.

NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.

d) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.

e) If all of the above are true, there is NO FINDING.

f) If any of the above are untrue, this is a FINDING.

Fix Text (F-18597r1_fix)
RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. b) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote. Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation: AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN) AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED PE RMT777 CL(JESINPUT) ID(RMT777) c) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. A command example is shown here: RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')

Fix Text (F-18597r1_fix)

RJE Userids

Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement.

There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls.

a) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.

b) Ensure the RJE workstation userids are defined as follows:

1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement.

2) No userid segments (e.g., TSO, CICS, etc.) are defined.

3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote.

Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation:

AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN)

AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED

PE RMT777 CL(JESINPUT) ID(RMT777)

c) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.

A command example is shown here:

RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')