UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Duplicated sensitive utilities and/or programs exist in APF libraries.


Overview

Finding ID Version Rule ID IA Controls Severity
V-85 AAMV0050 SV-85r2_rule DCCS-1 DCCS-2 DCSL-1 Low
Description
Modules designated as sensitive utilities have the ability to significantly modify the operating system environment. Duplication of these modules causes an exposure by making it extremely difficult to track modifications to them. This could allow for the execution of invalid or trojan horse versions of these utilities.
STIG Date
z/OS RACF STIG 2018-12-20

Details

Check Text ( C-20008r1_chk )
a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(APFDUPS)

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(AAMV0050)

b) If duplicate APF modules exist, compare the duplicates to the modules specified below:

The following list contains Sensitive Utilities that will be checked.

AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP
BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL
CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP
HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT
IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE
IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS
L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV
TMSREMOV TMSTPNIT TMSUDSNB

c) If none of the sensitive utilities are duplicated, there is NO FINDING.

d) If any of the sensitive utilities is duplicated, this is a FINDING.
Fix Text (F-239r1_fix)
The IAO will ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the IAO.

(3) Before a library and a volume serial number are added to IEAAPFxx and PROGxx, the IAO will protect the data set from unauthorized access. Systems programming personnel will specify the requirements for users needing read or execute access to this library. Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns with the IAO, so that the function can be restricted as required. The IAO will build the appropriate protection into the ACP.