Update and allocate access to all APF -authorized libraries are not limited to system programmers only.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-113 | ACP00060 | SV-113r2_rule | DCCS-1 DCCS-2 DCSL-1 ECAR-1 ECAR-2 ECAR-3 | High |
| Description |
|---|
| The Authorized Program List designates those libraries that can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
| STIG | Date |
|---|---|
| z/OS ACF2 STIG | 2019-12-12 |
Details
| Check Text ( C-22928r1_chk ) |
|---|
| a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(APFXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00060) ___ The ACP data set rules for APF libraries allow inappropriate access. ___ The ACP data set rules for APF libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. |
| Fix Text (F-17038r1_fix) |
|---|
| Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. The IAO will ensure that update and allocate access to all APF-authorized libraries are limited to system programmers only and all update and allocate access is logged. |