JES2 input sources are improperly protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6919	ZJES0021	SV-7324r2_rule		Medium

Description
JES2 input sources provide a variety of channels for job submission. Failure to properly control the use of these input sources could result in unauthorized submission of work into the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-30345r1_chk )
a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOJESI) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) b) Review the following resources in the JESINPUT resource class: OFFn. (spool offload receiver) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned. NOTE 1: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the JES2 parameters. c) If all of the resources in (b) are owned by generic and/or fully qualified entries in the JESINPUT resource class, there is NO FINDING. d) If any of the above resources are not owned, or are owned inappropriately, in the JESINPUT resource class, this is a FINDING.

Check Text ( C-30345r1_chk )

a) Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(WHOOJESI)

Refer to the following report produced by the z/OS Data Collection:

- PARMLIB(JES2 parameters)

b) Review the following resources in the JESINPUT resource class:

OFFn. (spool offload receiver)

NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned.

NOTE 1: OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the JES2 parameters.

c) If all of the resources in (b) are owned by generic and/or fully qualified entries in the JESINPUT resource class, there is NO FINDING.

d) If any of the above resources are not owned, or are owned inappropriately, in the JESINPUT resource class, this is a FINDING.

Fix Text (F-27104r1_fix)
Review the following resources in the JESINPUT resource class: OFFn. (spool offload receiver) NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned. NOTE 1: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report. Ensure all of the defined resources above are owned by generic and/or fully qualified entries in the JESINPUT resource class. For Example: The following commands may be used to establish default protection for resources defined to the JESINPUT resource class: TSS ADDTO(deptacid) JESINPUT(OFFn.) Grant read access to authorized users for each of the resources defined to the JESINPUT resource class. The following is an example of granting operators with a profile ACID of jesopracid permission to restore jobs into any SPOOL off load processor after obtaining permission from the IAO: TSS PERMIT(jesopracid) JESINPUT(OFF*.) ACCESS(READ) ACTION(AUDIT) The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent).

Fix Text (F-27104r1_fix)

Review the following resources in the JESINPUT resource class:

OFFn. (spool offload receiver)

NOTE: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be owned.

NOTE 1: OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report.

Ensure all of the defined resources above are owned by generic and/or fully qualified entries in the JESINPUT resource class.

For Example:

The following commands may be used to establish default protection for resources defined to the JESINPUT resource class:

TSS ADDTO(deptacid) JESINPUT(OFFn.)

Grant read access to authorized users for each of the resources defined to the JESINPUT resource class.

The following is an example of granting operators with a profile ACID of jesopracid permission to restore jobs into any SPOOL off load processor after obtaining permission from the IAO:

TSS PERMIT(jesopracid) JESINPUT(OFF*.) ACCESS(READ) ACTION(AUDIT)

The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load receivers are equivalent).