JES2 output devices are improperly protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6921	ZJES0031	SV-7328r2_rule		Medium

Description
JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-20819r1_chk )
a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOWTR) Refer to the following reports produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) - EXAM.RPT(SUBSYS) b) Review the following resources in the WRITER resource class: JES2.(backstop entry) NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. c) Ensure the following items are in effect: 1) The JES2. resource is owned in the WRITER resource class. 2) The ownership of all WRITER resources is appropriate. d) If all of the items in (c) are true, there is NO FINDING. e) If any item in (c) is untrue, this is a FINDING.

Check Text ( C-20819r1_chk )

a) Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(WHOOWTR)

Refer to the following reports produced by the z/OS Data Collection:

- PARMLIB(JES2 parameters)
- EXAM.RPT(SUBSYS)

b) Review the following resources in the WRITER resource class:

JES2.(backstop entry)

NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the
JES2 subsystem.

c) Ensure the following items are in effect:

1) The JES2. resource is owned in the WRITER resource class.

2) The ownership of all WRITER resources is appropriate.

d) If all of the items in (c) are true, there is NO FINDING.

e) If any item in (c) is untrue, this is a FINDING.

Fix Text (F-18772r1_fix)
Ensure the following items are in effect: 1) The JES2. resource is owned in the WRITER resource class. For Example: The following command may be used to establish default protection for resources defined to the WRITER resource class: TSS ADDTO(deptacid) WRITER(JES2.) 2) The ownership of all WRITER resources is appropriate. Grant read access to authorized users for each of the following WRITER resource class output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFF.JT JES2.LOCAL.OFF.ST JES2.LOCAL.PRT* JES2.LOCAL.PUN* JES2.NJE.nodename JES2.RJE.devicename The following is an example of granting operators with a profile ACID of jesopracid permission to off load SYSOUT data sets into any SPOOL off load processor after obtaining permission from the IAO: TSS PERMIT(jesopracid) WRITER(JES2.LOCAL.OFF*.ST) - ACCESS(READ) ACTION(AUDIT) The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent).

Fix Text (F-18772r1_fix)

Ensure the following items are in effect:

1) The JES2. resource is owned in the WRITER resource class.

For Example:
The following command may be used to establish default protection for resources defined to the WRITER resource class:

TSS ADDTO(deptacid) WRITER(JES2.)

2) The ownership of all WRITER resources is appropriate.

Grant read access to authorized users for each of the following WRITER resource class output destinations:

JES2.LOCAL.devicename
JES2.LOCAL.OFF*.JT
JES2.LOCAL.OFF*.ST
JES2.LOCAL.PRT*
JES2.LOCAL.PUN*
JES2.NJE.nodename
JES2.RJE.devicename

The following is an example of granting operators with a profile ACID of jesopracid permission to off load SYSOUT data sets into any SPOOL off load processor after obtaining permission from the IAO:

TSS PERMIT(jesopracid) WRITER(JES2.LOCAL.OFF*.ST) -
ACCESS(READ) ACTION(AUDIT)

The resource definition should be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent).