An error occurred:

Check: AAMV0030

zOS ACF2 STIG: AAMV0030 (in versions v6 r43 through v6 r30)

Title

LNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s). (Cat II impact)

Discussion

Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which could bypass security and violate the integrity of the operating system environment. This expanded authorization list inhibits the ability to control inclusion of these modules.

Check Content

a) Refer to the following report produced by the z/OS Data Collection: - EXAM.RPT(PARMLIB) - Refer to the IEASYSxx listing(s). Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0030) b) If the LNKAUTH=APFTAB parameter is specified in the IEASYSxx member, there is NO FINDING. c) If the LNKAUTH=APFTAB parameter is not specified, this is a FINDING.

Fix Text

The systems programmer will ensure that LNKAUTH=APFTAB is specified in the IEASYSxx member(s) in the currently active parmlib data set(s). Review all installed software for authorization requirements. Identify and include only libraries with this requirement in the APF designation. Change LINKAUTH=LNKLST to LINKAUTH=APFTAB in all IEASYSxx members. Control over APF authorization is specified within the operating system. The data set SYS1.PARMLIB members IEAAPFxx and PROGxx are used to specify the library names and the volumes on which they reside. (The xx is the suffix designated by the APF and PROG parameters in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL]). NOTE: An entire library is listed as authorized, and not the individual modules themselves. Use the following recommendations and techniques to control the exposures created by the APF facility: (1) In SYS1.PARMLIB(IEASYSxx), use the parameter LNKAUTH=APFTAB so that all APF libraries are specified in the IEAAPFxx and PROGxx members of parmlib.

Additional Identifiers

Rule ID: SV-83r2_rule

Vulnerability ID: V-83

Group Title: AAMV0030

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000381

The organization configures the information system to provide only essential capabilities.
CCI-001762

The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
CCI-002283

The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-16 (3)

Maintenance Of Attribute Associations By Information System
CM-7

Least Functionality
CM-7 (1)

Periodic Review