CICS_JOBSUB_TDQINTRDR
CICS_JOBSUB_TDQINTRDR checks whether any transient data queue that writes to the internal reader can be written to by the default user or is available in a region where CICS security is turned off (that is, the SIT parameter is SEC=NO).
- Description
- Secure transient data queues that write to the internal reader so that only authorized, signed-on users can write to them.
- Reason for check:
-
When transient data queues are defined to write to the internal reader (that is, the transient data queues are defined as extrapartition and specify a DD name that has SYSOUT referencing INTRDR), any of the following conditions, if detected, mean that anyone who can connect to the IP address and port number of the CICS regions can submit jobs to run on the z/OS system remotely under the region user ID without authentication:
- Transient data queues that write to the internal reader can be written to by the default user.
- The IBM-supplied transaction CECI is accessible to the default user.
- CICS security is turned off.
Define regions with SEC=YES and CECI so that only authorized, signed-on users can issue commands using the CECI transaction.
If you do need to run CICS with SEC=NO, disable CECI access for this region, or configure the region to run in an isolated LPAR.
- z/OS releases the check applies to:
- Any z/OS release that supports CICS TS 5.4.
- Minimum CICS TS release required:
- All supported CICS releases.
- Type of check (local, remote, or Rexx):
- Local
- User override of IBM values:
- No
- Debug support:
- No.
- Verbose support:
- No.
- Parameters accepted:
- None.
- Reference:
- Installing transient data queue definitions
- Messages:
- This check issues the following messages:
- DFHH0003E
- DFHH0303I