A fix is available
APAR status
Closed as program error.
Error description
Unable to suppress or customize standard compliance sets shipped with zSecure Audit.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Audit exploiting the * * Compliance Testing Framework (interactive * * option AU.R). * **************************************************************** * PROBLEM DESCRIPTION: The zSecure Audit Compliance Testing * * Framework (STIG subset) might use more * * storage than intended. Users might * * also find it impossible to suppress * * existing compliance rules or add new * * ones without editing the related CARLa * * members. * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** This APAR addresses following issues related to the zSecure Audit Compliance Testing Framework: - STIG subset compliance report uses more storage than intended; - a customization support to suppress existing rules or add new ones was added in zSecure 2.1.1, but oddly requires users to edit the corresponding CARLa members, which is not intended; - prerequisites to run the PCI-DSS subset are not clearly documented; - use of the CKACUST(CLASSIFY) member is also not properly documented; - ABENDU0991 might be issued when RESOURCE_LOCATION field from the newlist type RACF_ACCESS is referenced; - Domain merge between racf_access and cics_program produces invalid resource ?CPGM?; - VTAM_APPL produces ?VTAP?; - STIG Control CKAGR690 produces duplicate records; - MSGCKR0424 04 Warning has ambiguous AND/OR usage; - CKAGC040 selection doesn't produce results; - CKAGC260/350 should use CLASS=FACILITY within domain; - PCI 7.2.2 (CKAPB722) incomplete when included to PCI subset;
Problem conclusion
The zSecure Audit Compliance Testing Framework has been modified so that: - STIG subset compliance report uses less storage; - CKACUST members are added to provide customization support. Run the updated CKAZCUST sample job in the SCKRSAMP library to allocate the new %%%%@INS and %%%%@IDF members and use them to suppress existing rules or add new ones to the supported standards; - the SUPPRESS and SIMULATE CARLa command are now allowed within a STANDARD/ENDSTANDARD block, to SUPPRESS rule/rule sets and to SIMULATE sensitive resources in the scope of a defined standard; - CPGM objects are now resolved with CLASS 'CICSProg' and the program name as RESOURCE; - VTAP objects are now resolved with CLASS 'VTAMAPPL' and the LU name as RESOURCE; - raclist_merge=no added to the emergency_oper DOMAIN to prevent generation of duplicate records; - fixed CKR0424 warning message in CKAGCI41 control; - CKAG@DEF: Now includes SIMULATE statements to populate CKAGC020, CKAGC030, CKAGC040, and CKAGC050 domains; - CKAGC260, CKAGC350: Domains are now restricted to select CLASS=FACILITY to avoid conflicts with SIMULATE commands; - the PCI 7.2.2 CKAPB722 control member is now fully included; PLEASE NOTE the documentation changes as specified in the APAR tracking comment data. 211Y CKAG@DEF CKAG@6 CKAGCI10 CKAGCI30 CKAGCI41 CKAGC010 CKAGC060 CKAGC070 CKAGC080 CKAGC110 CKAGC120 CKAGC130 CKAGC135 CKAGC150 CKAGC180 CKAGC230 CKAGC250 CKAGC260 CKAGC350 CKAGHC01 CKAGIC01 CKAGR680 CKAGR690 CKAGR760 CKAGTC70 CKAGWM54 CKAGZU22 CKAO@20C CKAOUCMP CKAP@DEF CKAP@20 CKAPB722 CKAZCUST CKRDB2R CKRINPZ CKROURAC CKTG@6 C2PEPCIM
Temporary fix
Comments
APAR Information
APAR number
OA46727
Reported component name
ZSEC BASE,ADMIN
Reported component ID
5655T0100
Reported release
211
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2014-12-12
Closed date
2014-12-17
Last modified date
2015-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
OA46742 UA75888
Modules/Macros
CKAG@DEF CKAG@6 CKAGCI10 CKAGCI30 CKAGCI41 CKAGC010 CKAGC060 CKAGC070 CKAGC080 CKAGC110 CKAGC120 CKAGC130 CKAGC135 CKAGC150 CKAGC180 CKAGC230 CKAGC250 CKAGC260 CKAGC350 CKAGHC01 CKAGIC01 CKAGR680 CKAGR690 CKAGR760 CKAGTC70 CKAGWM54 CKAGZU22 CKAO@20C CKAOUCMP CKAP@DEF CKAP@20 CKAPB722 CKAZCUST CKRDB2R CKRINPZ CKROURAC CKTG@6 C2PEPCIM
Fix information
Fixed component name
ZSEC BASE,ADMIN
Fixed component ID
5655T0100
Applicable component levels
R211 PSY UA75888
UP14/12/18 P F412
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
16 August 2024