STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223756r604139_rule
V-223756
SRG-OS-000480-GPOS-00227
RACF-JS-000120
CAT II
10
Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement.
Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.
Configure the RJE workstation userids to be defined as follows:
A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement.
No userid segments (e.g., TSO, CICS, etc.) are defined.
Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT-class profile for that remote.
Review Chapter 17 of the RACF Security Admin Guide. The following is an example that show proper implementation:
AG RMTGRP OWNER(ADMIN) SUPGROUP(ADMIN)
AU RMT777 NAME('RMT RJE 777') DFLTGRP(RMTGRP) OWNER(RMTGRP) DATA('COMPLY WITH ZJES0011') NOPASS RESTRICTED
PE RMT777 CL(JESINPUT) ID(RMT777)
Ensure that a FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.
A command example is shown here:
RDEF FACILITY RJE.RMT777 UACC(NONE) OWNER(ADMIN) DATA('COMPLY WITH ZJES0011 FOR RJE 777')
Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement.
Refer to the JES2PARM member of PARMLIB.
If all of the statements below are true, this is not a finding.
If any of the statements below are untrue, this is a finding.
Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.
A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement.
No userid segments (e.g., TSO, CICS, etc.) are defined.
Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
A FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.
V-223756
False
RACF-JS-000120
Note that this guidance addresses RJE Workstations that are "Dedicated". If an RJE workstation is dedicated, the assumption is that the RJE to host connection is hard-wired between the RJE and host. In this case the RMT definition statement will contain the keyword LINE= which specifies that this RJE is only connected via that one LINE statement.
Refer to the JES2PARM member of PARMLIB.
If all of the statements below are true, this is not a finding.
If any of the statements below are untrue, this is a finding.
Review the JES2 parameters for RJE workstation definitions by searching for RMT( in the report.
A userid of RMTnnnn is defined to RACF for each RJE workstation, where nnnn is the number on the RMT statement.
No userid segments (e.g., TSO, CICS, etc.) are defined.
Restricted from accessing all data sets and resources with exception of the corresponding JESINPUT class profile for that remote.
NOTE: Execute the JCL in CNTL(IRRUT100) using the RACF RMTnnnn userids as SYSIN input. This report lists all occurrences of these userids within the RACF database, including data set and resource access lists.
A FACILITY-Class profile exists in the format RJE.RMTnnnn where nnn identifies the remote number.
M
4101