Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-113 | ACP00060 | SV-113r2_rule | DCCS-1 DCCS-2 DCSL-1 ECAR-1 ECAR-2 ECAR-3 | High |
Description |
---|
The Authorized Program List designates those libraries that can contain program modules which possess a significant level of security bypass capability. Unauthorized access could result in the compromise of the operating system environment, ACP, and customer data. |
STIG | Date |
---|---|
z/OS RACF STIG | 2019-12-12 |
Check Text ( C-22928r1_chk ) |
---|
a) Refer to the following reports produced by the Data Set and Resource Data Collection: - SENSITVE.RPT(APFXRPT) Automated Analysis Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(ACP00060) ___ The ACP data set rules for APF libraries allow inappropriate access. ___ The ACP data set rules for APF libraries do not restrict UPDATE and/or ALTER access to only z/OS systems programming personnel. ___ The ACP data set rules for APF libraries do not specify that all (i.e., failures and successes) UPDATE and/or ALTER access will be logged. b) If all of the above are untrue, there is NO FINDING. c) If any of the above is true, this is a FINDING. |
Fix Text (F-17038r1_fix) |
---|
Review access authorization to critical system files. Evaluate the impact of correcting the deficiency. Develop a plan of action and implement the changes required to protect APF Authorized Libraries. The IAO will ensure that update and allocate access to all APF-authorized libraries are limited to system programmers only and all update and allocate access is logged. |