OA49262: CONFIGURATION OF PRODAUDT FOR STIG CHECKS FOR RACF0590 AND ZJES0060 IS CAUSING A FINDING WHEN IT SHOULD NOT

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Cannot make the two rules (RACF0590/CKAGR590 and
  ZJES0060/CKAGJE60) compliant at the same time.
  - RACF0590 uses PRODAUDT to hold a list of IDs with discrete
  surrogate
  profiles, ie the ID part of am <ID>.SUBMIT profile in the
  SURROGAT
  class.
  - ZJES0060 uses PRODAUDT to hold a list of IDs which are
  permitted to
  be on the ACL of <ID>.SUBMIT profiles, eg TWS or similar.
  These groups are distinct, so if PRODAUDT is populated with a
  list of
  discrete surrogate profile IDs, then RACF0590 is compliant but
  ZJES0060
  is non-compliant. If it's populated with a list of authorised
  job
  submitters, then it's the other way round, ie ZJES0060 is
  compliant but
  RACF0590 is non-compliant.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting STIG       *
  *                 compliance rules ZJES0060, RACF0710, and     *
  *                 PCI-DSS compliance rule 7.2.3.               *
  ****************************************************************
  * PROBLEM DESCRIPTION: The zSecure Audit STIG compliance rule  *
  *                      ZJES0060 might produce an incorrect     *
  *                      result. The compliance rule RACF0710    *
  *                      has a typo in its caption. Invoking     *
  *                      the PCI-DSS compliance rule 7.2.3       *
  *                      results in MSGCKR2445.                  *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided.                      *
  ****************************************************************
  The zSecure Audit Compliance Testing framework has following
  issues:
  
   - the STIG compliance rule ZJES0060 (Surrogate users must be
     controlled in accordance with proper security requirements)
     uses the same ID customization member as the STIG compliance
     rule RACF0590 (RACF batch jobs must be properly secured)
     resulting in an compliance conflict between these to rules;
   - the STIG compliance rule has a typo in its caption;
   - running PCI-DSS compliance rule 7.2.3 results in MSGCKR2445
     which states "SET(7.2.3_default_access) has been specified,
     but no RULE_SET 7.2.3_default_access exists";
  

Problem conclusion

• zSecure Audit has been modified, so that the issues addressed
  by this APAR are resolved. Please note the documentation changes
  as specified by the APAR tracking comment data.
  211Y
  220Y
  CKAG@DEF
  CKAGJE60
  CKAGR710
  CKAIRULE
  CKAPC723
  CKAZCUST
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA80573 UA80574

Modules/Macros

•    CKAG@DEF CKAGJE60 CKAGR710 CKAIRULE CKAPC723
  CKAZCUST
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R211 PSY UA80573

     UP16/02/04 P F602

• R220 PSY UA80574

     UP16/02/04 P F602

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.