Update and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-121	ACP00150	SV-121r2_rule	DCCS-1 DCCS-2 DCSL-1	Medium

Description
The JES2 System data sets are a common repository for all jobs submitted to the system and the associated printout and configuration of the JES2 environment. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.

STIG	Date
z/OS RACF STIG	2017-03-22

Details

Check Text ( C-832r1_chk )
a) Refer to the following report produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(JES2RPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00150) ___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access. ___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. b) If both of the above are untrue, there is NO FINDING. c) If either of the above is true, this is a FINDING.

Check Text ( C-832r1_chk )

a) Refer to the following report produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(JES2RPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00150)

___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) allow inappropriate access.

___ The ACP data set rules for the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel.

b) If both of the above are untrue, there is NO FINDING.

c) If either of the above is true, this is a FINDING.

Fix Text (F-19062r1_fix)
Limit read and write access to the JES2 started task. Limit allocate/alter access to the systems programming staff. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System datasets (spool, checkpoint, and parmlib datasets) The IAO will ensure that update and allocate access to JES2 System datasets (spool, checkpoint, and parmlib datasets) are limited to system programmers only. For example all SYS1.HASP* data sets.

Fix Text (F-19062r1_fix)

Limit read and write access to the JES2 started task. Limit allocate/alter access to the systems programming staff. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes as required to protect JES2 System datasets (spool, checkpoint, and parmlib datasets)

The IAO will ensure that update and allocate access to JES2 System datasets (spool, checkpoint, and parmlib datasets) are limited to system programmers only. For example all SYS1.HASP* data sets.