IBM Support

OA49262: CONFIGURATION OF PRODAUDT FOR STIG CHECKS FOR RACF0590 AND ZJES0060 IS CAUSING A FINDING WHEN IT SHOULD NOT

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Cannot make the two rules (RACF0590/CKAGR590 and
    ZJES0060/CKAGJE60) compliant at the same time.
    - RACF0590 uses PRODAUDT to hold a list of IDs with discrete
    surrogate
    profiles, ie the ID part of am <ID>.SUBMIT profile in the
    SURROGAT
    class.
    - ZJES0060 uses PRODAUDT to hold a list of IDs which are
    permitted to
    be on the ACL of <ID>.SUBMIT profiles, eg TWS or similar.
    These groups are distinct, so if PRODAUDT is populated with a
    list of
    discrete surrogate profile IDs, then RACF0590 is compliant but
    ZJES0060
    is non-compliant. If it's populated with a list of authorised
    job
    submitters, then it's the other way round, ie ZJES0060 is
    compliant but
    RACF0590 is non-compliant.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit exploiting STIG       *
    *                 compliance rules ZJES0060, RACF0710, and     *
    *                 PCI-DSS compliance rule 7.2.3.               *
    ****************************************************************
    * PROBLEM DESCRIPTION: The zSecure Audit STIG compliance rule  *
    *                      ZJES0060 might produce an incorrect     *
    *                      result. The compliance rule RACF0710    *
    *                      has a typo in its caption. Invoking     *
    *                      the PCI-DSS compliance rule 7.2.3       *
    *                      results in MSGCKR2445.                  *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    The zSecure Audit Compliance Testing framework has following
    issues:
    
     - the STIG compliance rule ZJES0060 (Surrogate users must be
       controlled in accordance with proper security requirements)
       uses the same ID customization member as the STIG compliance
       rule RACF0590 (RACF batch jobs must be properly secured)
       resulting in an compliance conflict between these to rules;
     - the STIG compliance rule has a typo in its caption;
     - running PCI-DSS compliance rule 7.2.3 results in MSGCKR2445
       which states "SET(7.2.3_default_access) has been specified,
       but no RULE_SET 7.2.3_default_access exists";
    

Problem conclusion

  • zSecure Audit has been modified, so that the issues addressed
    by this APAR are resolved. Please note the documentation changes
    as specified by the APAR tracking comment data.
    211Y
    220Y
    CKAG@DEF
    CKAGJE60
    CKAGR710
    CKAIRULE
    CKAPC723
    CKAZCUST
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA49262

  • Reported component name

    AUDIT-R,A,T ACF

  • Reported component ID

    5655T0200

  • Reported release

    211

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-11-03

  • Closed date

    2016-02-03

  • Last modified date

    2016-03-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA80573 UA80574

Modules/Macros

  •    CKAG@DEF CKAGJE60 CKAGR710 CKAIRULE CKAPC723
    CKAZCUST
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R211 PSY UA80573

       UP16/02/04 P F602

  • R220 PSY UA80574

       UP16/02/04 P F602

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":""}]

Document Information

Modified date:
03 March 2016