Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-83 | AAMV0030 | SV-83r2_rule | DCCS-1 DCCS-2 DCSL-1 | Medium |
Description |
---|
Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the ability to control inclusion of these modules. |
STIG | Date |
---|---|
z/OS RACF STIG | 2018-12-20 |
Check Text ( C-20621r1_chk ) |
---|
a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) - Refer to the IEASYSxx listing(s). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0030) b) If the LNKAUTH=APFTAB parameter is specified in the IEASYSxx member, there is NO FINDING. c) If the LNKAUTH=APFTAB parameter is not specified, this is a FINDING. |
Fix Text (F-16081r1_fix) |
---|
The systems programmer will ensure that LNKAUTH=APFTAB is specified in the IEASYSxx member(s) in the currently active parmlib data set(s). Review all installed software for authorization requirements. Identify and include only libraries with this requirement in the APF designation. Change LINKAUTH=LNKLST to LINKAUTH=APFTAB in all IEASYSxx members. Control over APF authorization is specified within the operating system. The data set SYS1.PARMLIB members IEAAPFxx and PROGxx are used to specify the library names and the volumes on which they reside. (The xx is the suffix designated by the APF and PROG parameters in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL]). NOTE: An entire library is listed as authorized, and not the individual modules themselves. Use the following recommendations and techniques to control the exposures created by the APF facility: (1) In SYS1.PARMLIB(IEASYSxx), use the parameter LNKAUTH=APFTAB so that all APF libraries are specified in the IEAAPFxx and PROGxx members of parmlib. |