Check: AAMV0060
zOS RACF STIG:
AAMV0060
(in versions v6 r43 through v6 r37)
Title
The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available. (Cat II impact)
Discussion
The review of AC=1 modules that reside in APF authorized libraries must be reviewed annually. The IAO will maintain documentation identifying the integrity and justification of Vendor APF authorized libraries. For non-vendor APF authorized libraries, the source and documentation identifying the integrity and justification that describes the AC=1 module process will be maintained by the IAO. Sites have undocumented and/or unauthorized AC=1 modules have a possible risk to the confidentiality, integrity, and availability of the system and present a clear risk to the operating system, ACP, and customer data.
Check Content
Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) Automated Analysis requires Additional Analysis. Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0060) Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding. ___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.
Fix Text
The IAO working with the systems programmer will ensure that documentation and/or source code are available for AC=1 modules that reside in the APF Authorized libraries. Documentation for Vendor APF Authorized libraries identifying the integrity and justification will be available. Examples of this type of documentation can be in the form of product installation guides or product system programming guides. Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification will be available. A review of the above documentation and/or source will be performed on an annual basis.
Additional Identifiers
Rule ID: SV-86r4_rule
Vulnerability ID: V-86
Group Title: AAMV0060
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000643 |
The organization obtains vendor/manufacturer documentation that describes the functional properties of the security controls employed within the information system with sufficient detail to permit analysis and testing. |
| CCI-001829 |
The organization reviews information system privileges per an organization-defined frequency. |
| CCI-002736 |
The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles. |