JES2 system commands are not protected in accordance with security requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6928	ZJES0052	SV-17409r2_rule		Medium

Description
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

STIG	Date
z/OS TSS STIG	2019-12-12

Details

Check Text ( C-20915r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(WHOHOPER) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. c) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. d) If either (b) or (c) above is untrue for any JES2 system command resource, this is a FINDING.

Check Text ( C-20915r1_chk )

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(WHOHOPER)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ZJES0052)

b) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING.

NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.

c) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING.

d) If either (b) or (c) above is untrue for any JES2 system command resource, this is a FINDING.

Fix Text (F-18874r1_fix)
Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security: Ensure access to JES2 system commands defined in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) and logged if indicated. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. The following is a sample command to allow operators with a profile ACID of opracid to use the $DS command: TSS PERMIT(opracid) OPRCMDS(JES2.DISPLAY.STC) ACCESS(READ) The following is a sample command to allow operators with a profile ACID of opracid to use the $DM command: TSS PERMIT(opracid) OPERCMDS(JES2.SEND.MESSAGE) - ACCESS(READ) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $B command: TSS PERMIT(opracid) OPERCMDS(JES2.BACKSP.DEV) - ACCESS(UPDATE) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZI command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.INITIATOR) - ACCESS(CONTROL) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZSPOOL command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.SPOOL) - ACCESS(CONTROL) ACTION(AUDIT)

Fix Text (F-18874r1_fix)

Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security:

Ensure access to JES2 system commands defined in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) and logged if indicated.

NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands.

The following is a sample command to allow operators with a profile ACID of opracid to use the $DS command:

TSS PERMIT(opracid) OPRCMDS(JES2.DISPLAY.STC) ACCESS(READ)

The following is a sample command to allow operators with a profile ACID of opracid to use the $DM command:

TSS PERMIT(opracid) OPERCMDS(JES2.SEND.MESSAGE) -
ACCESS(READ) ACTION(AUDIT)

The following is a sample command to allow operators with a profile ACID of opracid to use the $B command:

TSS PERMIT(opracid) OPERCMDS(JES2.BACKSP.DEV) -
ACCESS(UPDATE) ACTION(AUDIT)

The following is a sample command to allow operators with a profile ACID of opracid to use the $ZI command:

TSS PERMIT(opracid) OPERCMDS(JES2.HALT.INITIATOR) -
ACCESS(CONTROL) ACTION(AUDIT)

The following is a sample command to allow operators with a profile ACID of opracid to use the $ZSPOOL command:

TSS PERMIT(opracid) OPERCMDS(JES2.HALT.SPOOL) -
ACCESS(CONTROL) ACTION(AUDIT)