The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.

From z/OS RACF STIG

Part of AAMV0060

Associated with: CCI-000643 CCI-001829 CCI-002736

SV-86r4_rule The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.

Vulnerability discussion

The review of AC=1 modules that reside in APF authorized libraries must be reviewed annually. The IAO will maintain documentation identifying the integrity and justification of Vendor APF authorized libraries. For non-vendor APF authorized libraries, the source and documentation identifying the integrity and justification that describes the AC=1 module process will be maintained by the IAO. Sites have undocumented and/or unauthorized AC=1 modules have a possible risk to the confidentiality, integrity, and availability of the system and present a clear risk to the operating system, ACP, and customer data.

Check content

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) Automated Analysis requires Additional Analysis. Refer to the following report produced by the Data Set and Resource Data Collection: - PDI(AAMV0060) Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding. ___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO. ___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.

Fix text

The IAO working with the systems programmer will ensure that documentation and/or source code are available for AC=1 modules that reside in the APF Authorized libraries. Documentation for Vendor APF Authorized libraries identifying the integrity and justification will be available. Examples of this type of documentation can be in the form of product installation guides or product system programming guides. Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification will be available. A review of the above documentation and/or source will be performed on an annual basis.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer