System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.

From z/OS TSS STIG

Part of AAMV0450

Associated with IA controls: DCCS-1, DCCS-2, DCPD-1

Associated with: CCI-000271 CCI-000633 CCI-000634 CCI-001806

SV-34r3_rule System programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.

Vulnerability discussion

Many vendor products and applications require or provide operating system exits, SVCs, I/O appendages, special PPT privileges, and APF authorization. Without proper review, approval and adequate documentation of these system programs, the integrity and availability of the operating system, ACP, and customer data are subject to compromise.

Check content

Refer to the following reports produced by the z/OS Data Collection: - EXAM.RPT(APFXRPT) - EXAM.RPT(APFTSO) - EXAM.RPT(IOAPPEND) - EXAM.RPT(MVSXRPT) - EXAM.RPT(PPTXRPT) - EXAM.RPT(SVCIBM) - EXAM.RPT(SVCUSER) - EXAM.RPT(SVCESR) If the following items are in effect, this is not a finding: ___ The acquisition of any new IA and IA-enabled Commercial-Off-the-Shelf (COTS) products or any major upgrade meets the applicable Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval. ___ All locally developed extensions to the operating system environment (i.e., operating system exits, SVCs, I/O appendages, modules requiring special PPT privileges and APF authorization) have been reviewed by the site’s system programmer to assure that requirements of CNSSP No. 11 and DODD 8500.1 are met and/or approved by site DAA.

Fix text

Ensure any new system software or major upgrade of software that performs any of the following actions: - Runs authorized or with special privileges so it can use z/OS facilities restricted to authorized programs. - Requires the use of a new Supervisor Call routine (SVC), Program Call routine (PC), installation exit routine, or I/O appendage routine. - Modifies MVS in any way. - Requires the use of the Authorized Program Facility (APF). - Requires that the name of the program be placed in the MVS Program Properties Table (PPT). - Runs in Supervisor State. - Runs with a program status word (PSW) protection key between 0 through 7. - Runs with a userid that has special security privileges within the ACP. Has been approved by Common Criteria, NIAP, or FIPS evaluation and validation requirements specified in CNSSP No. 11 and DODD 8500.1 or receives DAA approval.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer