Title

Inaccessible APF libraries defined. (Cat III impact)

Discussion

If a library designated by an APF entry does not exist on the volume specified, a library of the same name may be placed on this volume and inherit APF authorization. This could allow the introduction of modules which bypass security and violate the integrity of the operating system environment.

Check Content

PDI Screen Sort Order: AAMV0040 Default Severity: Category III a) Refer to the following reports produced by the z/OS Data Collection: - PARMLIB.ACCESS(IEAAPFxx) - PARMLIB.ACCESS(PROGxx) NOTE: The IEAAPFxx and PROGxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0040) b) If no inaccessible APF libraries exist, there is NO FINDING. c) If inaccessible APF libraries do exist, this is a FINDING.

Fix Text

The systems programmer will ensure that only existing libraries are specified in the APF list of libraries. Review the entire list of APF authorized libraries and remove those which are no longer valid designations. (2) The IEAAPFxx members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.

Additional Identifiers

Rule ID: SV-84r2_rule

Vulnerability ID: V-84

Group Title: AAMV0040

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.