CICS_JOBSUB_SPOOL
CICS_JOBSUB_SPOOL checks whether the system spooling interface is enabled (that is, the SIT parameter SPOOL=YES), and if so, whether the IBM-supplied transaction CECI is accessible to the default user, or whether CICS security is turned off in this region (that is, the SIT parameter is SEC=NO).
- Description
- Use the SIT parameter SPOOL=YES only on regions that have applications with the need to write to the spool by using the API command SPOOLWRITE.
- Reason for check:
-
When the system spooling interface is enabled, if CECI is accessible to the default user, or if CICS security is turned off, this means anyone who can connect to the IP address and port number of the CICS region can submit jobs to run on the z/OS system remotely under the region user ID without authentication.
In general, defined regions with SEC=YES and CECI so that only authorized, signed-on users can issue commands by using the CECI transaction.
If you do need to run CICS with SEC=NO, disable CECI access for this region, or configure the region to run in an isolated LPAR.
- z/OS releases the check applies to:
- Any z/OS release that supports CICS TS 5.4.
- Minimum CICS TS release required:
- All supported CICS releases.
- Type of check (local, remote, or Rexx):
- Local.
- User override of IBM values:
- No.
- Debug support:
- No.
- Verbose support:
- No.
- Parameters accepted:
- None.
- Reference:
- You can check which programs use the SPOOLWRITE command by using the load module scanner DFHEISUP.
- Messages:
- This check issues the following messages:
- DFHH0002E - The spool is accessible to unauthenticated users.
- DFHH0302I - The spool is protected from unauthenticated users.