From z/OS TSS STIG
Part of ZJES0052
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
JES2 system commands are used to control JES2 resources and the operating system environment. Failure to properly control access to JES2 system commands could result in unauthorized personnel issuing sensitive JES2 commands. This exposure may threaten the integrity and availability of the operating system environment, and compromise the confidentiality of customer data.
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(WHOHOPER) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ZJES0052) b) If access to JES2 system commands defined in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), there is NO FINDING. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. c) If access to specific JES2 system commands is logged as indicated in the table entitled Controls on JES2 System Commands, in the z/OS STIG Addendum, there is NO FINDING. d) If either (b) or (c) above is untrue for any JES2 system command resource, this is a FINDING.
Extended MCS support allows the installation to control the use of JES2 system commands through the ACP. These commands are subject to various types of potential abuse. For this reason, it is necessary to place restrictions on the JES2 system commands that can be entered by particular operators. To control access to JES2 system commands, the following recommendations will be applied when implementing security: Ensure access to JES2 system commands defined in the "Controls on JES2 System Commands" table, in the zOS STIG Addendum restricts access to the appropriate personnel (e.g., operations staff, systems programming personnel, general users) and logged if indicated. NOTE: Use the GROUP category specified in the table referenced above as a guideline to determine appropriate personnel access to system commands. The following is a sample command to allow operators with a profile ACID of opracid to use the $DS command: TSS PERMIT(opracid) OPRCMDS(JES2.DISPLAY.STC) ACCESS(READ) The following is a sample command to allow operators with a profile ACID of opracid to use the $DM command: TSS PERMIT(opracid) OPERCMDS(JES2.SEND.MESSAGE) - ACCESS(READ) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $B command: TSS PERMIT(opracid) OPERCMDS(JES2.BACKSP.DEV) - ACCESS(UPDATE) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZI command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.INITIATOR) - ACCESS(CONTROL) ACTION(AUDIT) The following is a sample command to allow operators with a profile ACID of opracid to use the $ZSPOOL command: TSS PERMIT(opracid) OPERCMDS(JES2.HALT.SPOOL) - ACCESS(CONTROL) ACTION(AUDIT)
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer