STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:

IBM z/OS JESNEWS resources must be protected in accordance with security requirements.

DISA Rule

SV-223751r604139_rule

Vulnerability Number

V-223751

Group Title

SRG-OS-000080-GPOS-00048

Rule Version

RACF-JS-000070

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

Refer to "Protecting JESNEWS" in Chapter 7 of the JES2 Init & Tuning Guide.

a) Ensure the following items are in effect:

1) The JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class with a default access of NONE and all access is logged.

NOTE: JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

2) Access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set) and all access is logged.

Examples of setting up proper protection are shown here:

RDEF OPERCMDS JES2.UPDATE.JESNEWS UACC(NONE) OWNER(ADMIN) AUDIT(ALL(READ)) DATA('COMPLY WITH ZJES0042')

PERMIT JES2.UPDATE.JESNEWS CLASS(OPERCMDS) ID(<syspsmpl>) ACCESS(CONTROL)

Check Contents

From the ISPF Command Shell enter:
RL OPERCMS *

JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

If the JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class, this is not a finding.

If access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set), this is not a finding.

If all access to the JES2.UPDATE.JESNEWS resource is logged, this is not a finding.

Vulnerability Number

V-223751

Documentable

False

Rule Version

RACF-JS-000070

Severity Override Guidance

From the ISPF Command Shell enter:
RL OPERCMS *

JES2 is typically the name of the JES2 subsystem. Refer to the SUBSYS report and locate the entry with the description of PRIMARY JOB ENTRY SUBSYSTEM. The SUBSYSTEM NAME of this entry is the name of the JES2 subsystem.

If the JES2.UPDATE.JESNEWS resource is defined to the OPERCMDS resource class, this is not a finding.

If access authorization to the JES2.UPDATE.JESNEWS resource in the OPERCMDS class restricts CONTROL access to the appropriate personnel (i.e., users responsible for maintaining the JES News data set), this is not a finding.

If all access to the JES2.UPDATE.JESNEWS resource is logged, this is not a finding.

Check Content Reference

M

Target Key

4101

Comments