OA67662: INCORRECT NON-COMPLIANT FINDING FOR CIS-OS-2.1.9 BECAUSE THE KEY_LABEL FIELD IS MISSING

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Incorrect non-compliant finding for CIS-OS-2.1.9 because the
  key_label field is missing.
  
  This results in a non-compliant finding for goal
  3.rrsf_dsn_encrypted.
  This can happen when using a combination of SHARED=YES and
  SHARED=NO CKFREEZE files and the RRSF datasets belong to the
  system with the SHARED=NO CKFREEZE.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting:           *
  *                                                              *
  *                  o RACF z/OS compliance control              *
  *                    CIS-OS-2.1.9.                             *
  *                  o 'Data Set Names report' (newlist type     *
  *                    DSN).                                     *
  *                  o 'Sensitive Data Set Names' report         *
  *                    (newlist type SENSDSN).                   *
  ****************************************************************
  * PROBLEM DESCRIPTION: zSecure Audit's RACF z/OS CIS-OS-2.1.9  *
  *                      compliance control might report         *
  *                      incorrect non-compliant results. The    *
  *                      KEY_LABEL field of newlist types        *
  *                      DSN/SENSDSN might be incorrectly        *
  *                      reported as empty.                      *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided.                      *
  ****************************************************************
  When sensitive data sets reside on volumes shared between
  systems, the KEY_LABEL field of newlist types DSN/SENSDSN might
  be incorrectly reported as empty. As result, the zSecure
  Audit's RACF z/OS CIS-OS-2.1.9 compliance control might report
  incorrect non-compliant results.
  

Problem conclusion

• zSecure Audit has been modified, so that it handles sensitive
  data set information properly for data sets on shared volumes.
  The KEY_LABEL field of newlist types DSN/SENSDSN is reported
  correctly for such data sets and the  RACF z/OS CIS-OS-2.1.9
  compliance control generates proper results.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ97101

Modules/Macros

• CKAOUDSN CKAOUSEN CKAOUTRU CKASEND  CKASMFI  CKRCFV   GKRCFV
  GKROUDSN GKROUSEN GKROUTRU GKRSEND  GKRSMFI
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R310 PSY UJ97101

     UP25/05/10 I 1000

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.