1

Determine the date and time of the last IPL from the System Overview display (1.1).

To obtain the JES2 parameters specified at IPL, obtain a copy of the console log (SYSLOG) from the Operations staff. In the SYSLOG, find the command that the operator entered to start JES2. It is in response to a HASP426 SPECIFY SYSTEM OPTIONS prompt and begins with S JES2.

We also recommend that you request a systems programmer or someone in operations issue the $DOPTSDEF JES2 command on the MVS console for you. The output of the $HASP820 message provides the HASPPARM value specified when JES2 was started, along with other information including the startup option (FORMAT, COLD, WARM) and startup type actually performed (FORMAT, COLD, and so on).\

Doing both will provide a snapshot of how JES2 was started at IPL time and how it is currently running. Remember that under certain circumstances, it is possible to stop JES2 and restart it within the lifespan of an IPL.

2

Select the CA Auditor JES2 display (4.1). If the S JES2 found in Step 1 was not followed by a comma and more information, then go on to Step 3.

Alternatively, you can use the HASPPARM value identified in the $HASP820 message if you have issued the $DOPTSDEF command. You can use whatever HASPPARM value was specified and enter that information in the field provided on the display for optional parameters and press Enter.

3

Tape file security can be circumvented by bypass label processing (BLP) commands in JCL.

TSU on the JES2 Parms Display (4.1) represents TSO users. For TSO users (TSU), check the entry in the field labeled Allow BLP? to determine if these users can use BLP commands.

4

If you determined in Step 1 that BLP allows TSO users to access tape volumes, use the TSO Analysis display (2.5) to find which users have MOUNT authority for tape files. This powerful combination should rarely be permitted.

5

However, even if JES2 permits tape access using BLP and there are TSO users with MOUNT authority, access control software can still forbid BLP. See the Usage Guide for instructions on how to proceed in this situation.

6

Determine from the JES2 Parms Display (4.1) if JES2 permits BLP for batch jobs. Batch jobs are A through Z and 0 through 9 on this display. Although batch jobs have no equivalent to MOUNT authority, they are subject to access control software restrictions on BLP. Many data centers do not permit BLP for batch jobs.

7

Note from the JES2 Parms Display (4.1) if JES permits BLP for operator‑started tasks (STC). Determine if adequate documentation is available to computer operators that defines the proper use and control of BLP for started tasks.

8

Note from the Computer System Profile sheet if the data center uses a job accounting system. If it does, check the ACNT REQ? field on the JES2 display to ensure that JES2 requires accounting information and programmer names for batch jobs of all classes. This information is not required for TSO or started tasks.

9

Because batch jobs are more difficult to account for than TSO logons or operator‑started tasks, check the NAME REQ? field to see if JES2 requires users to enter a programmer name for batch jobs.

10

JES2 permits console operator commands in the job control language (JCL). Because this privilege was originally intended for RJE environments, little justification for this facility exists in most data centers. Determine from the display if it is permitted for TSO users, batch, or started tasks.

11

To find the JES2 parameter file, you must first identify the JES2 ddname. If you entered HASPPARM=.OPTIONAL‑PARAMETERS in Step 2, use that name. Otherwise, use the default name HASPPARM.

12

Split your screen and browse the JES2 member of SYS1.PROCLIB. Locate the JES2 ddname you found in Step 11 and note the data set it refers to. This is the JES2 parameter file.

12

Use the Catalog (6.2), Volume File Scan display (6.3), or your access control software to determine that the JES2 parameter data set you found in Step 12 is protected from unauthorized access and modification.