Check: AAMV0450
zOS ACF2 STIG:
AAMV0450
(in versions v6 r43 through v6 r30)
Title
System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly. (Cat II impact)
Discussion
Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special PPT privileges, and APF authorization. Without proper review, approval and adequate documentation of these system programs, the integrity and availability of the operating system, ACP, and customer data are subject to compromise.
Check Content
Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) - EXAM.RPT(APFTSO) - EXAM.RPT(IOAPPEND) - EXAM.RPT(MVSXRPT) - EXAM.RPT(PPTXRPT) - EXAM.RPT(SVCIBM) - EXAM.RPT(SVCUSER) - EXAM.RPT(SVCESR) If the following items are in effect, this is not a finding: ___ The acquisition of any new IA and IA-enabled Commercial-Off-the-Shelf (COTS) products or any major upgrade meets the applicable Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval. ___ All locally developed extensions to the operating system environment (i.e., operating system exits, SVCs, I/O appendages, modules requiring special PPT privileges and APF authorization) have been reviewed by the site’s system programmer to assure that requirements of CNSSP No. 11 and DODD 8500.1 are met and/or approved by site DAA.
Fix Text
Ensure any new system software or major upgrade of software that performs any of the following actions: - Runs authorized or with special privileges so it can use z/OS facilities restricted to authorized programs. - Requires the use of a new Supervisor Call routine (SVC), Program Call routine (PC), installation exit routine, or I/O appendage routine. - Modifies MVS in any way. - Requires the use of the Authorized Program Facility (APF). - Requires that the name of the program be placed in the MVS Program Properties Table (PPT). - Runs in Supervisor State. - Runs with a program status word (PSW) protection key between 0 through 7. - Runs with a userid that has special security privileges within the ACP. Has been approved by Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval.
Additional Identifiers
Rule ID: SV-34r3_rule
Vulnerability ID: V-34
Group Title: AAMV0450
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000271 |
The organization ensures the authorizing official authorizes the information system for processing before commencing operations. |
| CCI-000633 |
The organization ensures that government off-the-shelf (GOTS) or commercial-off-the-shelf(COTS) information assurance (IA) and IA-enabled information technology products have been evaluated and/or validated by the NSA or in accordance with NSA-approved procedures. |
| CCI-000634 |
The organization limits the use of commercially provided information assurance (IA) and IA-enabled information technology products to those products that have been successfully evaluated against a National Information Assurance Partnership (NIAP)-approved Protection Profile for a specific technology type, if such a profile exists. |
| CCI-001806 |
The organization defines methods to be employed to enforce the software installation policies. |