JES2.** resource is improperly protected.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6927	ZJES0051	SV-7339r2_rule		Medium

Description
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-20827r1_chk )
JES2 Command Resource Definition a) Refer to the following report produced by the TSS Data Collection: - TSSCMDS.RPT(WHOOOPER) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(SUBSYS) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0051) b) If the JES2. resource is owned in the OPERCMDS class, there is NO FINDING. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. c) If the JES2. resource is NOT owned, or is owned inappropriately, in the OPERCMDS class, this is a FINDING.

Check Text ( C-20827r1_chk )

JES2 Command Resource Definition
a) Refer to the following report produced by the TSS Data Collection:

- TSSCMDS.RPT(WHOOOPER)

Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(SUBSYS)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZJES0051)

b) If the JES2. resource is owned in the OPERCMDS class, there is NO FINDING.

NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

c) If the JES2. resource is NOT owned, or is owned inappropriately, in the OPERCMDS class, this is a FINDING.

Fix Text (F-18781r1_fix)
The JES2. resource must be owned in the OPERCMDS class. NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem. Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security: For Example: The following command may be used to establish default protection for JES2 system commands defined to the OPERCMDS resource class: TSS ADDTO(deptacid) OPERCMDS(JES2.)

Fix Text (F-18781r1_fix)

The JES2. resource must be owned in the OPERCMDS class.

NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security:

For Example:
The following command may be used to establish default protection for JES2 system commands defined to the OPERCMDS resource class:

TSS ADDTO(deptacid) OPERCMDS(JES2.)