STIGQter STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS JESSPOOL resources must be protected in accordance with security requirements.

DISA Rule

SV-223529r533198_rule

Vulnerability Number

V-223529

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-JS-000020

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters.

Configure the CLASMAP record to define the JESSPOOL resource class.

Example:
SHOW CLASMAP

The following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT:
localnodeid.-
localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE
localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG

Example:
$KEY(localnodeid) TYPE(SPL)
- UID(*) PREVENT

These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example:
localnodeid.JES2.-.-.-.JESTRACE
localnodeid.+MASTER+.-.-.-.-

Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid.

The following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ:
localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS

jesid The logonid associated with your JES2 system.

This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example:
localnodeid.jesid.$JESNEWS.-.-.JESNEWS

Check Contents

From the ACF command screen enter:
SET CONTROL(GSO)
LIST LIKE(CLASMAP-) {to determine the resource class for JESSPOOL}

NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters.

SET RESOURCE(SPL)
LIST LIKE(-)

If the following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT, this is not a finding.

localnodeid.-
localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE
localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG

These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example:
localnodeid.JES2.-.-.-.JESTRACE
localnodeid.+MASTER+.-.-.-.-

Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid.

If the following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ, this is not a finding.
localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS
jesid The logonid associated with your JES2 system.

NOTE: This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example:
localnodeid.jesid.$JESNEWS.-.-.JESNEWS

Vulnerability Number

V-223529

Documentable

False

Rule Version

ACF2-JS-000020

Severity Override Guidance

From the ACF command screen enter:
SET CONTROL(GSO)
LIST LIKE(CLASMAP-) {to determine the resource class for JESSPOOL}

NOTE: If CLASMAP defines JESSPOOL as anything other than TYPE(SPL), replace SPL below with the appropriate three letters.

SET RESOURCE(SPL)
LIST LIKE(-)

If the following resources are defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of PREVENT, this is not a finding.

localnodeid.-
localnodeid.JES2.$TRCLOG.taskid.-.JESTRACE
localnodeid.+MASTER+.SYSLOG.jobid.-.SYSLOG

These resource rules may be more generic as long as they pertain directly to the JESTRACE and SYSLOG data sets. For example:
localnodeid.JES2.-.-.-.JESTRACE
localnodeid.+MASTER+.-.-.-.-

Review the JES2 parameters to determine the localnodeid by searching for OWNNODE in the NJEDEF statement, and then searching for NODE(nnnn) (where nnnn is the value specified by OWNNODE). The NAME parameter value specified on this NODE statement is the localnodeid.

If the following resource is defined to the JESSPOOL resource class (i.e., TYPE(SPL)) with a default access of READ, this is not a finding.
localnodeid.jesid.$JESNEWS.taskid.Dnewslvl.JESNEWS
jesid The logonid associated with your JES2 system.

NOTE: This resource rule may be more generic as long as it pertains directly to the JESNEWS data set. For example:
localnodeid.jesid.$JESNEWS.-.-.JESNEWS

Check Content Reference

M

Target Key

4100

Comments