Installations using APF authorization must control which programs
are stored in authorized libraries and in the link pack area (pageable
LPA, modified LPA, fixed LPA, and dynamic LPA). If the first module
in a program sequence is authorized, the system assumes that the flow
of control to all subsequent modules is known and secure as long as
these subsequent modules come from authorized libraries or the link
pack area. To ensure that this assumption is valid, the installation
should:
- Ensure that all programs that run as authorized programs adhere
to the installation's integrity guidelines.
- Ensure that no two load modules with the same name exist across
the set of authorized libraries or the link pack area. Two modules
with the same name could lead to accidental or deliberate mix-up in
module flow, possibly introducing an integrity exposure.
- Link edit with the authorization code (AC=1) only the first load
module in a program sequence. Do not use the authorization code for
subsequent load modules, thus ensuring that a user cannot call modules
out of sequence, or bypass validity checking or critical logic flow.
IBM® recommends that you protect
the libraries in the APF list with a security product, such as RACF®, and ensure that only appropriate
users with system maintenance responsibilities can update these libraries.
You should also apply similar controls to any library that contributes
modules to the link pack area (pageable LPA, modified LPA, fixed LPA,
or dynamic LPA) and to any libraries specified in RACF PROGRAM profiles.