IBM Support

OA51294: CKAPC711 ALTER_RE_EXIST AND ALTER_DA_EXIST DO NOT LIST ALL INSECURE PROFILES AS NON-COMPLIANT.

A fix is available

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CKAPC711 alter_re_exist and alter_da_exist must list all the
    insecure profiles as NON-COMPLIANT as opposed to just showing
    the total number of insecure profiles.
    

Local fix

  • Not Applicable
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit exploiting the        *
    *                 PCI-DSS compliance rule set 7.1.1.           *
    ****************************************************************
    * PROBLEM DESCRIPTION: The zSecure Audit PCI-DSS compliance    *
    *                      rule set 7.1.1 produces incorrect       *
    *                      output.                                 *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided.                      *
    ****************************************************************
    The PCI-DSS compliance rule set 7.1.1 (Access rights for
    privileged user IDs must be restricted to least privileges to
    perform job responsibilities) produces incorrect output so that:
     - an excessive number of duplicate non-compliant entries is
       reported by the rule test 2b.alter_re_profile.
     - unsecure profiles are not reported as non-compliant by the
       rule test 2a.alter_re_exist.
     - unsecure discrete data set profiles with ALTER authority
       are not reported as non-compliant by the rule test
       1b.alter_da_profile.
    

Problem conclusion

  • zSecure Audit has been modified so that the PCI-DSS compliance
    rule set 7.1.1 produces the correct output.
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA51294

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    220

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-09-19

  • Closed date

    2016-11-08

  • Last modified date

    2016-12-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA83274

Modules/Macros

  •    CKAPC711
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R220 PSY UA83274

       UP16/11/10 P F611

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCE68R","label":"zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"220","Edition":""}]

Document Information

Modified date:
01 December 2016