RJE workstations and NJE nodes are not controlled in accordance with security requirements.

From z/OS RACF STIG

Part of ZJES0011

Associated with IA controls: DCCS-1, DCCS-2

Associated with: CCI-000366

SV-7314r2_rule RJE workstations and NJE nodes are not controlled in accordance with security requirements.

Vulnerability discussion

JES2 RJE workstations and NJE nodes provide a method of sending and receiving data (e.g., jobs, job output, and commands) from remote locations. Failure to properly identify and control these remote facilities could result in unauthorized sources transmitting data to and from the operating system. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check content

RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Refer to the following report produced by the z/OS Data Collection: - PARMLIB(JES2 parameters) Refer to the following report produced by the RACF Data Collection: - RACFCMDS.RPT(LISTUSER) b) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. c) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote. NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists. d) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. e) If all of the above are true, there is NO FINDING. f) If any of the above are untrue, this is a FINDING.

Fix text

RJE Userids Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement. There are no known non-dedicated RJE Workstations in use within CSD. If such devices are used, the site should open a ticket with the FSO and jointly develop proper security controls. a) Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report. b) Ensure the RJE workstation userids are defined as follows: 1) A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement. 2) No userid segments (e.g., TSO, CICS, etc.) are defined. 3) Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote. Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation: AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN) AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED PE RMT777 CL(JESINPUT) ID(RMT777) c) Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number. A command example is shown here: RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer