STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.

DISA Rule

SV-223746r604139_rule

Vulnerability Number

V-223746

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-JS-000020

Severity

CAT II

CCI(s)

CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

Fix Recommendation

Review the following resources in the JESINPUT resource class:

INTRDR (internal reader for batch jobs)
nodename (NJE node)
OFFn.* (spool offload receiver)
Rnnnn (RJE workstation)
RDRnn (local card reader)
STCINRDR (internal reader for started tasks)
TSUINRDR (internal reader for TSO logons)

Note: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined.

-Nodename is the NAME parameter in the NODE statement. Review the JES2 parameters for NJE node definitions by searching for NODE( in the report.
-OFFn, where n is the number of the offload receiver. Review the JES2 parameters for spool offload receiver definitions by searching for OFF( in the report.
-Rnnnn, where nnnn is the number of the remote workstation. Review the JES2 parameters for RJE node definitions by searching for RMT( in the report.
-RDRnn, where nn is the number of the reader. Review the JES2 parameters for reader definitions by searching for RDR( in the report.

Define the JESINPUT resource class to the ACTIVE CLASSES in RACF SETROPTS.

Configure the resources detailed above to be protected by generic and/or fully qualified profiles defined to the JESINPUT resource class.

Examples:
setr classact(jesinput)
setr generic(jesinput)
rdef jesinput intrdr quack(none) owner(admin) audit(failures(read) success(update)) data('Per SRR PDI ZJES0021')
pe intrdr cl(jesinput) id(<syspsmpl>)
pe intrdr cl(jesinput) id(*) /* all users */

Check Contents

Refer the JES2PARM member of SYS1.PARMLIB.

Review the following resources in the RACF JESINPUT resource class:

INTRDR (internal reader for batch jobs)
nodename (NJE node)
OFFn.* (spool offload receiver)
Rnnnn (RJE workstation)
RDRnn (local card reader)
STCINRDR (internal reader for started tasks)
TSUINRDR (internal reader for TSO logons)

Note: If any of the following are not defined within the JES2 parameters, the resource in the JESINPUT resource class does not have to be defined.

-Nodename is the NAME parameter in the NODE statement. Review the NJE node definitions by searching for NODE( in the report.
-OFFn, where n is the number of the offload receiver. Review the spool offload receiver definitions by searching for OFF( in the report.
-Rnnnn, where nnnn is the number of the remote workstation. Review the RJE node definitions by searching for RMT( in the report.
-RDRnn, where nn is the number of the reader. Review the reader definitions by searching for RDR( in the report.

If the JESINPUT resource class is active, this is not a finding.

If the resources detailed above are protected by generic and/or fully qualified profiles defined to the JESINPUT resource class, this is not a finding.

IBM z/OS JES2 input sources must be controlled in accordance with the proper security requirements.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments