JES2 output devices must be properly controlled for Classified Systems.

From z/OS TSS STIG

Part of ZJES0032

Associated with: CCI-000213

SV-74873r1_rule JES2 output devices must be properly controlled for Classified Systems.

Vulnerability discussion

JES2 output devices provide a variety of channels to which output can be processed. Failure to properly control these output devices could result in unauthorized personnel accessing output. This exposure may compromise the confidentiality of customer data on a classified System..

Check content

Refer to the following report produced by the Data Set and Resource Data Collection: - Classification of System - SENSITVE.RPT(WHOHWTR) If the Classification of the system is unclassified, this is not applicable. Verify that the accesses for WRITER resources are restricted. If the following guidance is true, this is not a finding. ___ The TSS WRITER resource class in the RDT has the DEFPROT attribute specified and/or the resources and/or generic equivalent identified below are owned. ___ The TSS resources and/or generic equivalent identified below will be defined with access restricted to the operators and system programming personnel: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename NOTE: Common sense should prevail during the analysis. For example, access to the offload output destinations should be limited to only systems personnel (e.g., operations staff/system programmers) on a classified system.

Fix text

Verify with the ISSO to see that access authorization for resources defined to the WRITER resource class is restricted to the operators and system programmers on a classified system only. Define resources in the ACP’s respective WRITER class for each of the following output destinations: JES2.LOCAL.devicename JES2.LOCAL.OFFn.* JES2.LOCAL.OFFn.JT JES2.LOCAL.OFFn.ST JES2.LOCAL.PRTn JES2.LOCAL.PUNn JES2.NJE.nodename JES2.RJE.devicename The resource definition will be generic if all of the resources of the same type have identical access controls (e.g., if all off load transmitters are equivalent). If all users are permitted to route output to a specific destination, the resource controlling it may be defined with a default access of either NONE or READ. Otherwise it will be defined with a default access of NONE.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer