STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: JES2 spool resources will be controlled in accordance with security requirements.

DISA Rule

SV-7336r3_rule

Vulnerability Number

V-6926

Group Title

ZJES0046

Rule Version

ZJES0046

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The IAO will develop a plan of action to implement the required changes. Ensure the following items are in effect for JESSPOOL resources. The JESSPOOL may have more restrictive security at the direction of the IAO.

The JESSPOOL resources may be fully qualified, be specified as generic, or be specified with masking as indicated below:

localnodeid.userid.jobname.jobid.dsnumber.name

localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides.

userid The userid associated with the job. This is the userid used for validation purposes when the job runs.

jobname The name that appears in the name field of the JOB statement.

jobid The job number JES2 assigned to the job.

dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier.

name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?).

By default a user has access only to that user’s own JESSPOOL resources. However, situations exist where a user legitimately requires access to jobs that run under another user’s userid. In particular, if a user routes SYSOUT to an external writer, the external writer should have access to that user’s SYSOUT.

The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc)

RDEF JESSPOOL localnodeid.** UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('PROTECT JESSPOOL AT HIGH LEVEL, REF ZJES0046')
PE localnodeid.** CL(JESSPOOL) ID(syspaudt) ACC(A)

The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the IAO. Access will be identified at the minimum access for the user to accomplish the users function, SERVICE(READ, UPDATE, DELETE, ADD). All access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes. If frequent situations occur where users working on a common project require selective access to each other's jobs, then the installation may delegate to the individual users the authority to grant access, but only with the approval of the IAO.

RDEF JESSPOOL localnode.userid.jobname.jobid.dsnumber.name –
UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) –
DATA('PROTECT JESSPOOL, REF ZJES0046')
PE localnode.userid.jobname.jobid.dsnumber.name CL(JESSPOOL) ID(<users_or_groups>) ACC(R)

If IBM’s SDSF product is installed on the system, resources defined to the JESSPOOL resource class control functions related to jobs, output groups, and SYSIN/SYSOUT data sets on various SDSF panels.

CSSMTP will not be granted to the JESSPOOL resource of the high level “node.” or “localnodeid.” . CSSMTP can have access to the specific approved JESSPOOL resources, minimally qualified to the node.userid. and all access will be logged. This will ensure system records who (userid) sent traffic to CSSMTP, when and what job/process.

Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. Logging of access is not required.

The IAO will review JESSPOOL resource rules. If a rule has been determined not to have been used within the last 2 years, the rule shall be removed.

Check Contents

Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(JESSPOOL)

Verify that the accesses to the JESSPOOL resources are properly restricted. If the following guidance is true, this is not a finding.

Review the JESSPOOL report for resource permissions with the following naming convention. These profiles may be fully qualified, be specified as generic, or be specified with masking as indicated below:

localnodeid.userid.jobname.jobid.dsnumber.name

localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides.
userid The userid associated with the job. This is the userid RACF uses for validation purposes when the job runs.
jobname The name that appears in the name field of the JOB statement.
jobid The job number JES2 assigned to the job.
dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier.
name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?).

All users have access to their own JESSPOOL resources.

The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc)

The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the IAO. Access will be identified at the minimum access for the user to accomplish the users function. UPDATE, CONTROL, and ALTER access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes.

CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. All access will be logged.

Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. Logging of access is not required.

Vulnerability Number

V-6926

Documentable

False

Rule Version

ZJES0046

Severity Override Guidance

Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(JESSPOOL)

Verify that the accesses to the JESSPOOL resources are properly restricted. If the following guidance is true, this is not a finding.

Review the JESSPOOL report for resource permissions with the following naming convention. These profiles may be fully qualified, be specified as generic, or be specified with masking as indicated below:

localnodeid.userid.jobname.jobid.dsnumber.name

localnodeid The name of the node on which the SYSIN or SYSOUT data set currently resides.
userid The userid associated with the job. This is the userid RACF uses for validation purposes when the job runs.
jobname The name that appears in the name field of the JOB statement.
jobid The job number JES2 assigned to the job.
dsnumber The unique data set number JES2 assigned to the spool data set. A D is the first character of this qualifier.
name The name of the data set specified in the DSN= parameter of the DD statement. If the JCL did not specify DSN= on the DD statement that creates the spool data set, JES2 uses a question mark (?).

All users have access to their own JESSPOOL resources.

The localnodeid. resource will be restricted to only system programmers, operators, and automated operations personnel with access of ALTER. All access will be logged. (localnodeid. resource includes all generic and/or masked permissions, example: localnodeid.**, localnodeid.*, etc)

The JESSPOOL localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked, can be made available to users, when approved by the IAO. Access will be identified at the minimum access for the user to accomplish the users function. UPDATE, CONTROL, and ALTER access will be logged. An example is team members within a team, providing the capability to view, help, and/or debug other team member jobs/processes.

CSSMTP will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. All access will be logged.

Spooling products users (CA-SPOOL, CA View, etc.) will be restricted to localnodeid.userid.jobname.jobid.dsnumber.name, whether generic and/or masked when approved by the IAO. Logging of access is not required.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

197

Comments