IBM Support

OA50673: A GSD FINDING TAKES PLACE EVEN WHEN BUSINESS RULES ARE MORE STRINGENT THAN THE RECOMMENDATION

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • zSecure is reporting non-compliance for items that are more
    secure than what is required, i.e., if UACC is required to be
    READ, it is reporting non-compliance for resources with
    UACC(NONE).
    
    An example is F.1.8.63. The profile for MVS.UNKNOWN has
    UACC(NONE) and ALL(READ)  and both are being flagged as
    non-compliant with the description being "OPERCMDS MVS.UNKNOWN
    should have UACC(READ) and AUDIT (ALL(UPDATE))".
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit exploiting the        *
    *                 GSD compliance rule sets F.1.1.1, F.1.1.2,   *
    *                 F.1.1.6, F.1.8.32, F.1.8.35, F.1.8.63, and   *
    *                 the RACF STIG control RACF0440.              *
    ****************************************************************
    * PROBLEM DESCRIPTION: The zSecure Audit GSD compliance rule   *
    *                      sets F.1.1.1, F.1.1.2, F.1.1.6,         *
    *                      F.1.8.32, F.1.8.35, F.1.8.63, and the   *
    *                      RACF STIG control RACF0440 might        *
    *                      report false non-compliant results.     *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    The following GSD compliance rule sets might report false
    non-compliant results:
    
     - F.1.1.1: RACF SETROPTS PASSWORD(INTERVAL) must be 1 to 90
                days.
     - F.1.1.2: RACF SETROPTS PASSWORD(HISTORY) must be at least 8.
     - F.1.1.6: PASSWORD INACTIVE must be 1 to 180 days.
     - F.1.8.32: FACILITY STGADMIN.ARC.ENDUSER.** must have
                 UACC(READ).
     - F.1.8.35: FACILITY STGADMIN.IGG.DELGDG.FORCE must have
                 UACC(READ).
     - F.1.8.63: OPERCMDS MVS.UNKNOWN must have UACC(READ) and
                 AUDIT(ALL(UPDATE)).
    
    The RACF STIG control RACF0440 (The PASSWORD(INTERVAL) SETROPTS
    value must be set to 60 days) might also report false
    non-compliant results.
    

Problem conclusion

  • zSecure Audit has been modified so that the GSD compliance rule
    sets F.1.1.1, F.1.1.2, F.1.1.6, F.1.8.32, F.1.8.35, F.1.8.63,
    and the RACF STIG control RACF0440 produce reports according to
    GSD and RACF STIG specifications.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA50673

  • Reported component name

    AUDIT-R,A,T ACF

  • Reported component ID

    5655T0200

  • Reported release

    211

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-06-07

  • Closed date

    2016-07-11

  • Last modified date

    2016-08-02

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA82206 UA82207

Modules/Macros

  •    CKAGR440 CKAO111  CKAO112  CKAO116  CKAO1832
    CKAO1835 CKAO1863
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R211 PSY UA82206

       UP16/07/12 P F607

  • R220 PSY UA82207

       UP16/07/12 P F607

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":""}]

Document Information

Modified date:
02 August 2016