From z/OS TSS STIG
Part of ACP00250
Associated with IA controls: DCCS-1, ECCD-2, DCCS-2, ECCD-1
Unauthorized access to proclib data sets referenced in the JES2 procedure can allow unauthorized modifications to STCs and other system level procedures. This could result in the compromise of the operating system environment, ACP, and customer data.
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(PROCRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00250) NOTE: The proclib data sets that contain the STCs and TSO logons are obtained from the following sources: 1) MSTJCLxx member used during an IPL. The proclib data sets are obtained from the IEFPDSI and IEFJOBS DD statements. 2) PROCxx DD statements and JES2 Dynamic Proclibs. Where ‘xx’ is the PROCLIB entries for the STC and TSU JOBCLASS configuration definitions. ___ The ACP data set rules for proclib data sets referenced in the JES2 procedure for STCs and TSO logons allow inappropriate access. ___ The ACP data set rules for proclib data sets referenced in the JES2 procedure for STCs and TSO logons do not restrict UPDATE and ALLOCATE / ALTER access to only z/OS systems programming personnel. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING.
Have the IAO validate that all UPDATE and ALLOCATE/ ALTER access to all proclibs referenced in the JES2 or JES3 procedure for started tasks (STCs) and TSO logons are resticted to systems programming personnel only. Suggestion on how to update system to be compliant with this vulnerability: Current guidance within the STIG is: (11) Restrict update and alter access to all proclibs referenced in the JES2 or JES3 procedure for started tasks (STCs) and TSO logons only to systems programming personnel. • (ACP00250: CAT II) The IAO will ensure that update and alter access to all system proclib datasets are limited to system programmers only. Analysis for ACP00250. NOTE: All examples are only examples and may not reflect your operating environment. The reviewers’ previous analysis is to collect all JES2 proclib data sets and ensure that all update and alter access is restricted to the system programming personnel. The current and future analysis is to obtain only the proclib data sets that contain STC and TSO procedures. The data sets to be reviewed are obtained using the following steps: 1. All data sets contained in the MSTJCLxx member in the DD statement concatenation for IEFPDSI and IEFJOBS. 2. The data set in the PROCxx DD statement concatenation that are within the JES2 procedure or identified in the JES2 dynamic proclib definitions. The specific PROCxx DD statement that is used is obtained from the PROCLIB entry for the JOBCLASSes of STC and TSU. The following is what data sets the process will obtain, the bolded entries will be used for analysis: MSTJCL00 //MSTJCL00 JOB MSGLEVEL=(1,1),TIME=1440 // EXEC PGM=IEEMB860,DPRTY=(15,15) //STCINRDR DD SYSOUT=(A,INTRDR) //TSOINRDR DD SYSOUT=(A,INTRDR) //IEFPDSI DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //SYSUADS DD DSN=SYS1.UADS,DISP=SHR //SYSLBC DD DSN=SYS1.BRODCAST,DISP=SHR JES2 //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, // DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR // DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER JES2 initialization parameter JOBCLASS PROCLIB entries JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … Proclib data set that will be used in the access authorization process: SYS3.PROCLIB SYS2.PROCLIB SYS1.PROCLIB The following proclib data set will NOT be used or evaluated: SYS4.USERPROC Recommendation for sites: The following are recommendation for the sites to ensure only proclib data sets that contain the STC and TSO procedures are protected. 1. Remove all application proclib data sets from MSTJCLxx and JES2 procedures. The customer will have all JCL changed to use the JCLLIB JCL statement to refer to the application proclib data sets. Example: //USERPROC JCLLIB ORDER=(SYS4.USERPROC) 2. Remove all access to the application proclib data sets and only authorize system programming personnel update and alter access to these data sets. 3. Document the application proclib data set access for the customers that require update and/or alter access. Use this documentation as justification for the inappropriate access created by the scripts. 4. Change MSTJCLxx and JES2 procedure to identify STC and TSO procedure data sets separate from application procedure data sets. The following is a list of actions that will need to be performed to accomplish this recommendation: a. Ensure that MSTJCLxx contains only proclib data sets that contain STC and TSO procedures. b. If an application proclib data set is required for JES2, ensure that the JES2 procedure specifies more than one PROCxx DD statement concatenation is identified or identified in the JES2 dynamic proclib definitions. Identify one PROCxx DD statement data set concatenation that contains the STC and TSO proclib data sets. Identify one or more additional PROCxx DD statements that can contain any other proclib data sets. The concatenation of the additional PROCxx DD statements can contain the same data sets that are identified in the PROCxx DD statement for STC and TSO. The following is an example of the JES2 procedure: //JES2 PROC //IEFPROC EXEC PGM=HASJES20,PARM=NOREQ, // DPRTY=(15,15),TIME=1440,PERFORM=9 //ALTPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2BKUP) //HASPPARM DD DISP=SHR, // DSN=SYS1.PARMLIB(JES2PARM) //PROC00 DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //PROC01 DD DSN=SYS4.USERPROC,DISP=SHR // DD DSN=SYS3.PROCLIB,DISP=SHR // DD DSN=SYS2.PROCLIB,DISP=SHR // DD DSN=SYS1.PROCLIB,DISP=SHR //IEFRDER DD SYSOUT=* //HASPLIST DD DDNAME=IEFRDER c. Ensure that the JES2 configuration file is changed to specify that the PROCLIB entry for the STC and TSU JOBCLASSes point to the proper PROCxx entry within the JES2 procedure or JES2 dynamic proclib definitions that contain the STC and/or TSO procedures. All other JOBCLASSes can specify a PROCLIB entry that uses the same PROCxx or any other PROCxx DD statement identified in the JES2 procedure or identified in the JES2 dynamic proclib definitions. The following is an example of the JES2 initialization parameters: JOBCLASS(*) ACCT=NO, /* ACCT # NOT REQUIRED (DEF.)*/ … PROCLIB=01, /* DEFAULT TO //PROC01 DD (DEF.)*/ … JOBCLASS(STC) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … JOBCLASS(TSU) AUTH=ALL, /* ALLOW ALL COMMANDS (DEF.)*/ … PROCLIB=00, /* USE //PROC00 DD (DEF.)*/ … d. Ensure that only system programming personnel are authorized to update and/or allocate proclib data sets that contain STC and TSO procedures.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer