UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Update and allocate access to all APF -authorized libraries are not limited to system programmers only.


Overview

Finding ID Version Rule ID IA Controls Severity
V-113 ACP00060 SV-113r2_rule DCCS-1 DCCS-2 DCSL-1 ECAR-1 ECAR-2 ECAR-3 High
Description
The Authorized Program List designates those libraries that can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data.
STIG Date
z/OS ACF2 STIG 2016-12-21

Details

Check Text ( C-22928r1_chk )
a) Refer to the following reports produced by the Data Set and Resource Data Collection:

- SENSITVE.RPT(APFXRPT)

Automated Analysis
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(ACP00060)

___ The ACP data set rules for APF libraries allow inappropriate access.

___ The ACP data set rules for APF libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel.

___ The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged.

b) If all of the above are untrue, there is NO FINDING.

c) If any of the above is true, this is a FINDING.
Fix Text (F-17038r1_fix)
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries.

The IAO will ensure that update and allocate access to all APF-authorized libraries are limited to system programmers only and all update and allocate access is logged.