UCF STIG Viewer Logo

Inaccessible APF libraries defined.


Overview

Finding ID Version Rule ID IA Controls Severity
V-84 AAMV0040 SV-84r2_rule DCCS-1 DCCS-2 DCSL-1 Low
Description
If a library designated by an APF entry does not exist on the volume specified, a library of the same name may be placed on this volume and inherit APF authorization. This could allow the introduction of modules which bypass security and violate the integrity of the operating system environment.
STIG Date
z/OS RACF STIG 2019-12-12

Details

Check Text ( C-634r1_chk )
PDI Screen Sort Order: AAMV0040 Default Severity: Category III

a) Refer to the following reports produced by the z/OS Data Collection:

- PARMLIB.ACCESS(IEAAPFxx)
- PARMLIB.ACCESS(PROGxx)

NOTE: The IEAAPFxx and PROGxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING.

Automated Analysis
Refer to the following report produced by the z/OS Data Collection:

- PDI(AAMV0040)

b) If no inaccessible APF libraries exist, there is NO FINDING.

c) If inaccessible APF libraries do exist, this is a FINDING.
Fix Text (F-16650r1_fix)
The systems programmer will ensure that only existing libraries are specified in the APF list of libraries. Review the entire list of APF authorized libraries and remove those which are no longer valid designations.
(2) The IEAAPFxx members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.