UCF STIG Viewer Logo

JES2 input sources are not controlled in accordance with theh proper security requirements.


Overview

Finding ID Version Rule ID IA Controls Severity
V-6919 ZJES0021 SV-7323r2_rule Medium
Description
JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-20612r1_chk )
a) Refer to the following reports produced by the RACF Data Collection and Data Set and Resource Data Collection:

- SENSITVE.RPT(JESINPUT)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

Refer to the following report produced by the z/OS Data Collection:

- PARMLIB(JES2 parameters)

b) Review the following resources in the JESINPUT resource class:

INTRDR (internal reader for batch jobs)
nodename (NJE node)
OFFn.* (spool offload receiver)
Rnnnn (RJE workstation)
RDRnn (local card reader)
STCINRDR (internal reader for started tasks)
TSUINRDR (internal reader for TSO logons)

NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined.

NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the report.

NOTE 2: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the report.

NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the report.

NOTE 4: RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the report.


c) Ensure the following items are in effect:

1) The JESINPUT resource class is active.
2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class.
3) UACC(NONE) is specified for all resources.

NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. No guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources.

d) If all of the items mentioned in (c) are true, there is NO FINDING.

e) If any of the items mentioned in (c) is untrue, this is a FINDING.
Fix Text (F-18545r1_fix)
Review the following resources in the JESINPUT resource class:

INTRDR (internal reader for batch jobs)
nodename (NJE node)
OFFn.* (spool offload receiver)
Rnnnn (RJE workstation)
RDRnn (local card reader)
STCINRDR (internal reader for started tasks)
TSUINRDR (internal reader for TSO logons)

NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined.

NOTE 1: Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.

NOTE 2: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report.

NOTE 3: Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for RMT( in the report.

NOTE 4: RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for RDR( in the report.

c) Ensure the following items are in effect:

1) The JESINPUT resource class is active.

2) The resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class.

3) UACC(NONE) is specified for all resources.

NOTE: UACC(READ) is allowed for input sources that are permitted to submit jobs for all users. Currently, there is no guidance on which input sources are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, offload, and STC input sources.

Examples:

setr classact(jesinput)
setr generic(jesinput)
rdef jesinput intrdr uacc(none) owner(admin) audit(failures(read) success(update)) data('Per SRR PDI ZJES0021')
pe intrdr cl(jesinput) id()
pe intrdr cl(jesinput) id(*) /* all users */