STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: JES2 output devices are not controlled in accordance with the proper security requirements.

DISA Rule

SV-7327r2_rule

Vulnerability Number

V-6921

Group Title

ZJES0031

Rule Version

ZJES0031

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

WRITER Resource Definitions

Review the following resources in the WRITER resource class:

JES2.** (backstop profile)
JES2.LOCAL.OFFn.* (spool offload transmitter)
JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter)
JES2.LOCAL.OFFn.JT (spool offload job transmitter)
JES2.LOCAL.PRTn (local printer)
JES2.LOCAL.PUNn (local punch)
JES2.NJE.nodename (NJE node)
JES2.RJE.Rnnnn.PRm (remote printer)
JES2.RJE.Rnnnn.PUm (remote punch)

NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters.

NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters.

NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters.

NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.

NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters.

NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters.

c) Ensure the following items are in effect:

1) The WRITER resource class is active.

2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE).

3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE).

NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations.

Examples:

setr classact(writer)
setr gencmd(writer) generic(writer)
setr raclist(writer)
RDEF WRITER JES2.** owner(admin) AUDIT(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.LOCAL.** owner(admin) AUDIT(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.LOCAL.OFF*.JT owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.LOCAL.OFF*.ST owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.LOCAL.PRT* owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.LOCAL.PUN* owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.NJE.** owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')
RDEF WRITER JES2.RJE.** owner(admin) audit(ALL) UACC(NONE) -
data('Reference SRR PDI ZJES0031')

pe JES2.** cl(writer) id(<syspaudt>)
pe JES2.LOCAL.** cl(writer) id(<syspaudt>)
pe JES2.LOCAL.OFF*.JT cl(writer) id(<syspaudt>)
pe JES2.LOCAL.OFF*.ST cl(writer) id(<syspaudt>)
pe JES2.LOCAL.PRT* cl(writer) id(<syspaudt>)
pe JES2.LOCAL.PUN* cl(writer) id(<syspaudt>)
pe JES2.NJE.** cl(writer) id(<syspaudt>)
pe JES2.RJE.** cl(writer) id(<syspaudt>)
setr racl(writer) Ref

Check Contents

WRITER Resource Definitions

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(WRITER)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(SUBSYS)
- PARMLIB(JES2 parameters)

b) Review the following resources in the WRITER resource class:

JES2.** (backstop profile)
JES2.LOCAL.OFFn.* (spool offload transmitter)
JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter)
JES2.LOCAL.OFFn.JT (spool offload job transmitter)
JES2.LOCAL.PRTn (local printer)
JES2.LOCAL.PUNn (local punch)
JES2.NJE.nodename (NJE node)
JES2.RJE.Rnnnn.PRm (remote printer)
JES2.RJE.Rnnnn.PUm (remote punch)

NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters.

NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters.

NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters.

NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.

NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters.

NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters.

c) Ensure the following items are in effect:

1) The WRITER resource class is active.

2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE).

3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE).

NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations.

d) If all of the items mentioned in (c) are true, there is NO FINDING.

e) If any item mentioned in (c) is untrue, this is a FINDING.

Vulnerability Number

V-6921

Documentable

False

Rule Version

ZJES0031

Severity Override Guidance

WRITER Resource Definitions

a) Refer to the following reports produced by the RACF Data Collection:

- SENSITVE.RPT(WRITER)
- RACFCMDS.RPT(SETROPTS)
- DSMON.RPT(RACCDT) - Alternate list of active resource classes

Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(SUBSYS)
- PARMLIB(JES2 parameters)

b) Review the following resources in the WRITER resource class:

JES2.** (backstop profile)
JES2.LOCAL.OFFn.* (spool offload transmitter)
JES2.LOCAL.OFFn.ST (spool offload SYSOUT transmitter)
JES2.LOCAL.OFFn.JT (spool offload job transmitter)
JES2.LOCAL.PRTn (local printer)
JES2.LOCAL.PUNn (local punch)
JES2.NJE.nodename (NJE node)
JES2.RJE.Rnnnn.PRm (remote printer)
JES2.RJE.Rnnnn.PUm (remote punch)

NOTE 1: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

NOTE 2: OFFn, where n is the number of the offload transmitter. Determine the numbers by searching for OFF( in the JES2 parameters.

NOTE 3: PRTn, where n is the number of the local printer. Determine the numbers by searching for PRT( in the JES2 parameters.

NOTE 4: PUNn, where n is the number of the local card punch. Determine the numbers by searching for PUN( in the JES2 parameters.

NOTE 5: Nodename is the NAME parameter value specified on the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.

NOTE 6: Rnnnn.PRm, where nnnn is the number of the remote workstation and m is the number of the printer. Determine the numbers by searching for .PR in the JES2 parameters.

NOTE 7: Rnnnn.PUm, where nnnn is the number of the remote workstation and m is the number of the punch. Determine the numbers by searching for .PU in the JES2 parameters.

c) Ensure the following items are in effect:

1) The WRITER resource class is active.

2) The profile JES2.** is defined to the WRITER resource class with a UACC(NONE).

3) The other resources mentioned in (b) are protected by generic and/or fully qualified profiles defined to the WRITER resource class with UACC(NONE).

NOTE: UACC(READ) is allowed for output destinations that are permitted to route output for all users. Currently, there is no guidance on which output destinations are appropriate for UACC(READ). However, common sense should prevail during the analysis. For example, UACC(READ) would typically be inappropriate for RJE, NJE, and offload output destinations.

d) If all of the items mentioned in (c) are true, there is NO FINDING.

e) If any item mentioned in (c) is untrue, this is a FINDING.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

197

Comments