UCF STIG Viewer Logo

System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.


Overview

Finding ID Version Rule ID IA Controls Severity
V-34 AAMV0450 SV-34r3_rule DCCS-1 DCCS-2 DCPD-1 Medium
Description
Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special PPT privileges, and APF authorization. Without proper review, approval and adequate documentation of these system programs, the integrity and availability of the operating system, ACP, and customer data are subject to compromise.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-17878r2_chk )
Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(APFXRPT)
- EXAM.RPT(APFTSO)
- EXAM.RPT(IOAPPEND)
- EXAM.RPT(MVSXRPT)
- EXAM.RPT(PPTXRPT)
- EXAM.RPT(SVCIBM)
- EXAM.RPT(SVCUSER)
- EXAM.RPT(SVCESR)

If the following items are in effect, this is not a finding:

___ The acquisition of any new IA and IA-enabled Commercial-Off-the-Shelf (COTS) products or any major upgrade meets the applicable Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval.

___ All locally developed extensions to the operating system environment (i.e., operating system exits, SVCs, I/O appendages, modules requiring special PPT privileges and APF authorization) have been reviewed by the site’s system programmer to assure that requirements of CNSSP No. 11 and DODD 8500.1 are met and/or approved by site DAA.
Fix Text (F-188r2_fix)
Ensure any new system software or major upgrade of software that performs any of the following actions:

- Runs authorized or with special privileges so it can use z/OS facilities restricted to authorized programs.

- Requires the use of a new Supervisor Call routine (SVC), Program Call routine (PC), installation exit routine, or I/O appendage routine.

- Modifies MVS in any way.

- Requires the use of the Authorized Program Facility (APF).

- Requires that the name of the program be placed in the MVS Program Properties Table (PPT).

- Runs in Supervisor State.

- Runs with a program status word (PSW) protection key between 0 through 7.

- Runs with a userid that has special security privileges within the ACP.

Has been approved by Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval.