STIG ID - BACF0021: Indicate Proper Validation of Jobs in GSO NJE Record

Assign the GSO NJE record to ensure proper validation of jobs submitted through an NJE subsystem.
Severity
: 2 - Medium
The GSO NJE record tells
ACF2
how to process password and logonid inheritance for jobs exchanged with other NJE nodes.
ACF2
uses the GSO NJE record to build a table that is referenced when a job enters or leaves the system through NJE.
ACF2
compares the name of the remote node specified in the NODEMASK fields in the table. If
ACF2
does not find a match, it uses a default record generated for validation. The internal table that
ACF2
builds contains room for 256 NJE records. If more NJE records are found, a message is issued and the subsequent records are bypassed.
Your organization will ensure that the GSO NJE record value indicates proper validation of jobs submitted through an NJE subsystem (JES2, JES3, RSCS).
This STIG article shows how to assign the GSO NJE record values to ensure the proper validation of jobs submitted through an NJE subsystem.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
  1. List the GSO NJE record to identify the values of the DFTLID, INHERIT, NODEMASK, ENCRYPT, VALIN, and NOCALOUT fields:
    SET CONTROL CONTROL LIST NJE XXXX / NJE LAST CHANGED BY USER01 ON 02/10/2020-9:20 DFSYOUT() ENCRYPT
    NOVALOUT
    CONTROL
    The GSO NJE record fields DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT values are not defined, which differs from the suggested guideline.
    • DFTLID(
      defaultlid
      )
      Specifies the default logonid to be used for jobs that come from the remote node when no logonid can be associated with the job. IBM restricts the NJE default logonid to a maximum of seven characters. The DFTLID value you specify must be a valid, specific logonid (no masking characters), defined to
      ACF2
      at the home node. Also, you must set the RESTRICT field in the logonid record to indicate that the logonid does not require password verification. The default value for DFTLID is null.
      If
      ACF2
      needs to assign a default logonid but no DFTLID is coded in the NJE record,
      ACF2
      substitutes the default logonid specified in the DFTLID field of the GSO OPTS record. If no default logonid is specified in the GSO OPTS record, the job fails validation.
    • ENNCRYPT
      |NOENCRYPT
      Specifies that the password provided on jobs sent to this node for validation are in a partially encrypted format using the XDES algorithm. NOENCRYPT specifies that the password is sent in clear-text format. The default value is ENCRYPT. When the password is longer than eight-characters, it is always encrypted before being sent to the other system.
    • INHERIT
      |NOINHERIT
      Specifies that the local node accepts network job inheritance. A job sent to this node inherits the logonid of the user who submitted the job. NOINHERIT specifies that the job requires an explicit logonid and password to be validated at this node. In this case, the job does not inherit the logonid of the submitter and if no logonid is provided in the JCL, the job is assigned the default logonid specified at the local node.
      Default
      : INHERIT.
    • NODEMASK(
      nodename
      )
      Specifies the nodes associated with this record.
      Nodename
      is the value specified in the NAME= field of the NODE(x) statement of the JES initialization parameters for the system. If you are unsure of the noe NAME=, issue a $TNODE(nn) command from the operator console to find the value. Nodename can be from one- to eight characters, and can be a specific node name or a masked value. If the field is not specified, nodename defaults to a mask of dash (-), which means all node names match.
    • VALOUT|
      NOVALOUT
      )
      Specifies that all outgoing jobs to the remote node are validated. NOVALOUT specifies that no validation is performed for outbound jobs. Review the implications of job inheritance when selecting these options. If a job is submitted without a password and the INHERIT option is active, the job runs under the submitter's logonid.
      Default
      : NOVALOUT
      If network job inheritance is permitted, different authorization can be granted to the job. This could be due to the local logonid having a much higher authority than the same logonid defined at the sending node. You can control this with the logonid record NO-INH field. This field prevents a logonid from being inherited. For more information about the NO-INH field, see Logonid Records.
    • VALIN(
      YES
      |ONLY
      )
      Specifies that all jobs coming in from the remote node are validated. ONLY specifies that incoming jobs that have already been validated by
      ACF2
      are not revalidated.
      Default
      : YES
  2. If the GSO NJE record values for the DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT fields are defined,
    your organization does not have an audit finding
    .
  3. If the GSO NJE records listed in step 2 are not defined,
    your organization has an audit finding
    . See Remediate Audit finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that the GSO NJE record value indicates validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
Follow these steps
:
  1. Configure the GSO NJE record DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT fields:
    SET CONTROL(GSO) CONTROL CHANGE NJE
    DFTLID() INHERIT NODEMASK(-) ENCRYPT VALIN(YES) NOVALOUT
    F ACF2,REFRESH(NJE) CONTROL
    The GSO NJE record DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVACLOUT fields are defined.
  2. Verify the GSO NJE record has been updated:
    SET CONTROL CONTROL SHOW NJE -- NJE OPTIONS IN EFFECT -- NODE VALIDATE VALIDATE INHERIT- SEND DEFAULT SYSOUT NAME OR INCOMING OUTGOING ANCE ENCRYPTED LOGONID DEFAULT MASK JOBS JOBS ALLOWED PASSWORD LOGONID (BOTH) (IN) (OUT) (IN) (OUT) (IN) (IN) ======= ======== ======== ======== ======== ======= ======= YES YES YES YES YES YES YES CONTROL
    ACF2
    will now ensure the proper validation of jobs submitted through an NJE subsystem takes place.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-001414, CCI-001762, CCI-001764 CCI-002314
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
techical
References
:
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001414
Published Date
:
2009-09-24
Definition
:
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): AC-4
NIST: NIST SP 800-53 Revision 4 (v4): AC-4
NIST: NIST SP 800-53A (v1): CM-4.1 (iii)
CCI
:
CCI-001762
Published Date
:
2013-02-28
Definition
:
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
Type
:
technical
References
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (1) (b)
CCI
:
CCI-001764
Published Date
:
2009-02-28
Definition
:
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
Type
:
technical
References
NIST: NIST SP 80-53 Revision 4 (v4) CM-7(2)
CCI
:
CCI-002314
Published Date
:
2013-06-24
Definition
:
The information system controls remote access methods.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-17 (1)