STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS JES2 system commands must be protected in accordance with security requirements.

DISA Rule

SV-223531r533198_rule

Vulnerability Number

V-223531

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

ACF2-JS-000040

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Review the GSO definitions. If CLASMAP defines OPERCMDS as anything other than TYPE(OPR), replace OPR below with the appropriate three letters.

Review resource rules for TYPE(OPR).

Define the JES2.- resource is defined to the OPERCMDS class with a default access of PREVENT and all access is logged.

Define access to JES2 system commands defined in the JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide entitled 'JES2 commands with profile names and minimum required authority' is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users).

Define access to specific JES2 system commands is logged as indicated in the table JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide titled "JES2 commands with profile names and minimum required authority".

Assure that elevated access is logged.

Some ACF2 Examples:
$KEY(JES2) TYPE(OPR)
CANCEL.BAT UID(oper) SERVICE(READ,UPDATE) LOG
DISPLAY.JOB UID(*) SERVICE(READ) LOG
START.INITIATOR UID(oper) SERVICE(DELETE) LOG
START.LINE UID(oper) SERVICE(DELETE) LOG
STOP.INITIATOR UID(oper) SERVICE(DELETE) LOG
STOP.LINE UID(oper) SERVICE(DELETE) LOG
- UID(*) PREVENT

Check Contents

NOTE: If CLASMAP defines OPERCMDS as anything other than TYPE(OPR), replace OPR below with the appropriate three letters.

From the ACF command screen enter:
SET RESOURCE(OPR)
LIST LIKE(JES-)

If the JES2.- resource is defined to the OPERCMDS class with a default access of PREVENT and all access is logged, this is not a finding.

If access to JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide titled "JES2 commands with profile names and minimum required authority" is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), this is not a finding.

If all elevated access to JES2 system commands is logged, this is not a finding.

Vulnerability Number

V-223531

Documentable

False

Rule Version

ACF2-JS-000040

Severity Override Guidance

NOTE: If CLASMAP defines OPERCMDS as anything other than TYPE(OPR), replace OPR below with the appropriate three letters.

From the ACF command screen enter:
SET RESOURCE(OPR)
LIST LIKE(JES-)

If the JES2.- resource is defined to the OPERCMDS class with a default access of PREVENT and all access is logged, this is not a finding.

If access to JES2 system commands defined in the table in the IBM JES2 Initialization and Tuning Guide titled "JES2 commands with profile names and minimum required authority" is restricted to the appropriate personnel (e.g., operations staff, systems programming personnel, general users), this is not a finding.

If all elevated access to JES2 system commands is logged, this is not a finding.

Check Content Reference

M

Target Key

4100

Comments