STIG ID - BACF0021: Indicate Proper Validation of Jobs in GSO NJE Record
Assign the GSO NJE record to ensure proper validation of jobs submitted through an NJE subsystem.
Severity: 2 - Medium
The GSO NJE record tells
ACF2how to process password and logonid inheritance for jobs exchanged with other NJE nodes.
ACF2uses the GSO NJE record to build a table that is referenced when a job enters or leaves the system through NJE.
ACF2compares the name of the remote node specified in the NODEMASK fields in the table. If
ACF2does not find a match, it uses a default record generated for validation. The internal table that
ACF2builds contains room for 256 NJE records. If more NJE records are found, a message is issued and the subsequent records are bypassed.
Your organization will ensure that the GSO NJE record value indicates proper validation of jobs submitted through an NJE subsystem (JES2, JES3, RSCS).
This STIG article shows how to assign the GSO NJE record values to ensure the proper validation of jobs submitted through an NJE subsystem.
Identify Audit Finding
Complete these steps to determine if you should consider remediation:
Follow these steps:
- List the GSO NJE record to identify the values of the DFTLID, INHERIT, NODEMASK, ENCRYPT, VALIN, and NOCALOUT fields:SET CONTROL CONTROL LIST NJE XXXX / NJE LAST CHANGED BY USER01 ON 02/10/2020-9:20 DFSYOUT() ENCRYPTNOVALOUTCONTROLThe GSO NJE record fields DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT values are not defined, which differs from the suggested guideline.
- DFTLID(defaultlid)Specifies the default logonid to be used for jobs that come from the remote node when no logonid can be associated with the job. IBM restricts the NJE default logonid to a maximum of seven characters. The DFTLID value you specify must be a valid, specific logonid (no masking characters), defined toACF2at the home node. Also, you must set the RESTRICT field in the logonid record to indicate that the logonid does not require password verification. The default value for DFTLID is null.IfACF2needs to assign a default logonid but no DFTLID is coded in the NJE record,ACF2substitutes the default logonid specified in the DFTLID field of the GSO OPTS record. If no default logonid is specified in the GSO OPTS record, the job fails validation.
- ENNCRYPT|NOENCRYPTSpecifies that the password provided on jobs sent to this node for validation are in a partially encrypted format using the XDES algorithm. NOENCRYPT specifies that the password is sent in clear-text format. The default value is ENCRYPT. When the password is longer than eight-characters, it is always encrypted before being sent to the other system.
- |NOINHERITINHERITSpecifies that the local node accepts network job inheritance. A job sent to this node inherits the logonid of the user who submitted the job. NOINHERIT specifies that the job requires an explicit logonid and password to be validated at this node. In this case, the job does not inherit the logonid of the submitter and if no logonid is provided in the JCL, the job is assigned the default logonid specified at the local node.Default: INHERIT.
- NODEMASK(nodename)Specifies the nodes associated with this record.Nodenameis the value specified in the NAME= field of the NODE(x) statement of the JES initialization parameters for the system. If you are unsure of the noe NAME=, issue a $TNODE(nn) command from the operator console to find the value. Nodename can be from one- to eight characters, and can be a specific node name or a masked value. If the field is not specified, nodename defaults to a mask of dash (-), which means all node names match.
- VALOUT|)NOVALOUTSpecifies that all outgoing jobs to the remote node are validated. NOVALOUT specifies that no validation is performed for outbound jobs. Review the implications of job inheritance when selecting these options. If a job is submitted without a password and the INHERIT option is active, the job runs under the submitter's logonid.Default: NOVALOUTIf network job inheritance is permitted, different authorization can be granted to the job. This could be due to the local logonid having a much higher authority than the same logonid defined at the sending node. You can control this with the logonid record NO-INH field. This field prevents a logonid from being inherited. For more information about the NO-INH field, see Logonid Records.
- VALIN()YES|ONLYSpecifies that all jobs coming in from the remote node are validated. ONLY specifies that incoming jobs that have already been validated byACF2are not revalidated.Default: YES
- If the GSO NJE record values for the DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT fields are defined,your organization does not have an audit finding.
- If the GSO NJE records listed in step 2 are not defined,your organization has an audit finding. See Remediate Audit finding.
Remediate Audit Finding
z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) ensures that the GSO NJE record value indicates validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
Follow these steps:
- Configure the GSO NJE record DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVCALOUT fields:
The GSO NJE record DFTLID, ENCRYPT, INHERIT, NODEMASK, VALIN, and NOVACLOUT fields are defined.SET CONTROL(GSO) CONTROL CHANGE NJEDFTLID() INHERIT NODEMASK(-) ENCRYPT VALIN(YES) NOVALOUTF ACF2,REFRESH(NJE) CONTROL
- Verify the GSO NJE record has been updated:SET CONTROL CONTROL SHOW NJE -- NJE OPTIONS IN EFFECT -- NODE VALIDATE VALIDATE INHERIT- SEND DEFAULT SYSOUT NAME OR INCOMING OUTGOING ANCE ENCRYPTED LOGONID DEFAULT MASK JOBS JOBS ALLOWED PASSWORD LOGONID (BOTH) (IN) (OUT) (IN) (OUT) (IN) (IN) ======= ======== ======== ======== ======== ======= ======= YES YES YES YES YES YES YES CONTROLACF2will now ensure the proper validation of jobs submitted through an NJE subsystem takes place.
Control Correlation Identifier
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs: CCI-000213, CCI-001414, CCI-001762, CCI-001764 CCI-002314
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
NIST: NIST SP 800-53 (v3): AC-3
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
NIST: NIST SP 800-53 (v3): AC-4
NIST: NIST SP 800-53 Revision 4 (v4): AC-4
NIST: NIST SP 800-53A (v1): CM-4.1 (iii)
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (1) (b)
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
NIST: NIST SP 80-53 Revision 4 (v4) CM-7(2)
The information system controls remote access methods.
NIST: NIST SP 800-53 Revision 4 (v4): AC-17 (1)