Check: AAMV0040
zOS RACF STIG:
AAMV0040
(in versions v6 r43 through v6 r30)
Title
Inaccessible APF libraries defined. (Cat III impact)
Discussion
If a library designated by an APF entry does not exist on the volume specified, a library of the same name may be placed on this volume and inherit APF authorization. This could allow the introduction of modules which bypass security and violate the integrity of the operating system environment.
Check Content
PDI Screen Sort Order: AAMV0040 Default Severity: Category III a) Refer to the following reports produced by the z/OS Data Collection: - PARMLIB.ACCESS(IEAAPFxx) - PARMLIB.ACCESS(PROGxx) NOTE: The IEAAPFxx and PROGxx reports are only produced if inaccessible libraries exist. The report names represent the actual SYS1.PARMLIB members where inaccessible libraries are found. If these reports do not exist, there is NO FINDING. Automated Analysis Refer to the following report produced by the z/OS Data Collection: - PDI(AAMV0040) b) If no inaccessible APF libraries exist, there is NO FINDING. c) If inaccessible APF libraries do exist, this is a FINDING.
Fix Text
The systems programmer will ensure that only existing libraries are specified in the APF list of libraries. Review the entire list of APF authorized libraries and remove those which are no longer valid designations. (2) The IEAAPFxx members will contain only required libraries. On a semi annual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non existent libraries. The IAO should modify and/or delete the rules associated with these libraries.
Additional Identifiers
Rule ID: SV-84r2_rule
Vulnerability ID: V-84
Group Title: AAMV0040
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
CCI-002283 |
The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects. |