JES2 system commands are not protected in accordance with security requirements.

From z/OS TSS STIG

Part of ZJES0052

Associated with: CCI-000213 CCI-002234

SV-17409r2_rule JES2 system commands are not protected in accordance with security requirements.

Vulnerability discussion

JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.

Check content

a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(WHOHOPER) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. c) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. d) If either (b) or (c) above is untrue for any JES2 system command resource, this is a FINDING.

Fix text

Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security: Ensure access to JES2 system commands defined in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) and logged if indicated. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. The following is a sample command to allow operators with a profile ACID of opracid to use the $DS command: TSS PERMIT(opracid) OPRCMDS(JES2.DISPLAY.STC) ACCESS(READ) The following is a sample command to allow operators with a profile ACID of opracid to use the $DM command: TSS PERMIT(opracid) OPERCMDS(JES2.SEND.MESSAGE) - ACCESS(READ) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $B command: TSS PERMIT(opracid) OPERCMDS(JES2.BACKSP.DEV) - ACCESS(UPDATE) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZI command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.INITIATOR) - ACCESS(CONTROL) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZSPOOL command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.SPOOL) - ACCESS(CONTROL) ACTION(AUDIT)

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer