|
|
|
z/OS can be installed with the JES2 or JES3 job entry subsystem. Use the System Overview display (1.1) to determine which system the data center uses. This section of the checklist pertains to JES3 systems only. Use the JES option (4.1) to access this information.
Because SMF exits and access control software can affect JES3 operation, see the Usage Guide before you begin your review.
The JES3 initialization deck supplies the parameters that govern JES3 and the way it processes jobs on the system. A data set or user exit can supply the parameters for the initialization deck. CA Auditor reports only the JES3 parameters that a data set supplied. It is also possible for an operator to change these parameters by specifying symbolic JCL parameters or by specifying an alternate member to use. The checklist describes these two methods.
This JES3 checklist lets you examine audit and security concerns about the JES3 initialization deck parameters. JES3 reads the initialization deck only if JES is cold‑ or warm‑started. If JES3 is hot‑started, the last initialization deck read remains in effect (even over an IPL).
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
Determine the date and time of the last IPL from the System Overview display (1.1). Request a copy of the console log (SYSLOG) from the Operations staff. Review the entry that the operator made to start JES3. This entry usually begins S JES3. The operator can also add one or more symbolic parameter values at this time, which can modify the data sets and member names from which the JES3 initialization parameters are read. The system reads the JES3 procedure contained in SYS1.PROCLIB. |
|
|
|
|
2 |
Select the CA Auditor JES3 display. If the S JES3 command found in Step 1 did not include symbolic JCL parameter overrides, go to Step 3. Otherwise, enter the override parameters in the optional parameters field. |
|
|
|
|
3 |
After the operator enters the S JES3 command, followed by any symbolic parameters, JES displays the IAT3012 message. This message lets the operator change the member that JES3 uses for the JES3 initialization parameters by entering M=, followed by the two‑character suffix of the alternate member. Determine from the SYSLOG entry if the operator entered a suffix in response to this message. If so, enter that suffix in the field provided and press Enter. CA Auditor displays the initialization deck parameters, replacing the first member of the JES3IN ddname concatenation accordingly. |
|
|
|
|
4 |
Next, you review the information that CA Auditor displays about the JES3 parameters. Tape file security can be circumvented by the bypass label processing (BLP) subparameter of the LABEL operand in a DD statement. TSU on the JES3 Parms Display (4.1) represents TSO users. Check the entry in the field labeled ALLOW BLP? for TSO users (TSU) to determine if these users can use BLP commands. |
|
|
|
|
5 |
If you determined in Step 4 that TSO users can access tape volumes, use the TSO Analysis display (2.5) to find which users have MOUNT authority for tape files. This powerful combination should rarely be permitted. However, even if JES3 permits tape access using BLP and there are TSO users with MOUNT authority, access control software can still forbid BLP. See the Usage Guide for instructions on how to proceed in this situation. |
|
|
|
|
6 |
The STANDARDS statement in the initialization deck set the TSU, STC, and INTRDR CIPARM IDs. The other CIPARM IDs that are defined can be active only if an operator specifies the CIPARM ID when he starts a reader device, such as a card, tape, or disk reader. Review the other CIPARM IDs to determine if they conform with data center standards. Determine if the data center has adequate documentation that defines the purpose, use, and function of these alternate CIPARM IDs for batch jobs. |
|
|
|
|
7 |
Note whether JES3permits BLP for operator‑started tasks (STC). Determine if adequate documentation is available to computer operators that defines the proper use and control of BLP for started tasks. |
|
|
|
|
8 |
Note from the Computer System Profile sheet if the data center uses a job accounting system. If it does, check the ACNT REQ? field on the JES3 display to ensure that JES3 requires accounting information and programmer names for all CIPARM IDs except TSU or STC. This is because batch jobs can be assigned (and receive their parameters) from any CIPARM ID defined on the system. |
|
|
|
|
9 |
Because batch jobs are more difficult to account for than TSO logons or operator‑started tasks, check the NAME REQ? field to see if JES3 requires users to enter a programmer name for batch jobs. |
|
|
|
|
10 |
Split your screen and browse the JES3 member of SYS1.PROCLIB. Locate the JES3 initialization deck input ddname (which is always JES3IN) and note the data sets that it refers to. This is the JES3 initialization parameter file. |
|
|
|
|
11 |
Use the Catalog (6.2) or Volume File Scan display (6.3) or your access control software to determine that the JES3 parameter data sets that you found in Step 10 are protected from unauthorized access and modification. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |