OA46727: UNABLE TO SUPPRESS OR CUSTOMIZE STANDARD COMPLIANCE SETS SHIPPED WITH ZSECURE AUDIT.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Unable to suppress or customize standard compliance sets shipped
  with zSecure Audit.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting the        *
  *                 Compliance Testing Framework (interactive    *
  *                 option AU.R).                                *
  ****************************************************************
  * PROBLEM DESCRIPTION: The zSecure Audit Compliance Testing    *
  *                      Framework (STIG subset) might use more  *
  *                      storage than intended. Users might      *
  *                      also find it impossible to suppress     *
  *                      existing compliance rules or add new    *
  *                      ones without editing the related CARLa  *
  *                      members.                                *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided.                      *
  ****************************************************************
  This APAR addresses following issues related to the zSecure
  Audit Compliance Testing Framework:
   - STIG subset compliance report uses more storage than
     intended;
   - a customization support to suppress existing rules or add new
     ones was added in zSecure 2.1.1, but oddly requires users to
     edit the corresponding CARLa members, which is not intended;
   - prerequisites to run the PCI-DSS subset are not clearly
     documented;
   - use of the CKACUST(CLASSIFY) member is also not properly
     documented;
   - ABENDU0991 might be issued when RESOURCE_LOCATION field from
     the newlist type RACF_ACCESS is referenced;
   - Domain merge between racf_access and cics_program produces
     invalid resource ?CPGM?;
   - VTAM_APPL produces ?VTAP?;
   - STIG Control CKAGR690  produces duplicate records;
   - MSGCKR0424 04 Warning has ambiguous AND/OR usage;
   - CKAGC040 selection doesn't produce results;
   - CKAGC260/350 should use CLASS=FACILITY within domain;
   - PCI 7.2.2 (CKAPB722) incomplete when included to PCI subset;
  

Problem conclusion

• The zSecure Audit Compliance Testing Framework has been modified
  so that:
   - STIG subset compliance report uses less storage;
   - CKACUST members are added to provide customization support.
     Run the updated CKAZCUST sample job in the SCKRSAMP library
     to allocate the new %%%%@INS and %%%%@IDF members and use
     them to suppress existing rules or add new ones to the
     supported standards;
   - the SUPPRESS and SIMULATE CARLa command are now allowed
     within a STANDARD/ENDSTANDARD block, to SUPPRESS rule/rule
     sets and to SIMULATE sensitive resources in the scope of a
     defined standard;
   - CPGM objects are now resolved with CLASS 'CICSProg' and
     the program name as RESOURCE;
   - VTAP objects are now resolved with CLASS 'VTAMAPPL' and the
     LU name as RESOURCE;
   - raclist_merge=no added to the emergency_oper DOMAIN to
     prevent generation of duplicate records;
   - fixed CKR0424 warning message in CKAGCI41 control;
   - CKAG@DEF: Now includes SIMULATE statements to populate
     CKAGC020, CKAGC030, CKAGC040, and CKAGC050 domains;
   - CKAGC260, CKAGC350: Domains are now restricted to select
     CLASS=FACILITY to avoid conflicts with SIMULATE commands;
   - the PCI 7.2.2 CKAPB722 control member is now fully included;
  
  PLEASE NOTE the documentation changes as specified in the APAR
  tracking comment data.
  211Y
  CKAG@DEF
  CKAG@6
  CKAGCI10
  CKAGCI30
  CKAGCI41
  CKAGC010
  CKAGC060
  CKAGC070
  CKAGC080
  CKAGC110
  CKAGC120
  CKAGC130
  CKAGC135
  CKAGC150
  CKAGC180
  CKAGC230
  CKAGC250
  CKAGC260
  CKAGC350
  CKAGHC01
  CKAGIC01
  CKAGR680
  CKAGR690
  CKAGR760
  CKAGTC70
  CKAGWM54
  CKAGZU22
  CKAO@20C
  CKAOUCMP
  CKAP@DEF
  CKAP@20
  CKAPB722
  CKAZCUST
  CKRDB2R
  CKRINPZ
  CKROURAC
  CKTG@6
  C2PEPCIM
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  OA46742 UA75888

Modules/Macros

•    CKAG@DEF CKAG@6   CKAGCI10 CKAGCI30 CKAGCI41
  CKAGC010 CKAGC060 CKAGC070 CKAGC080 CKAGC110 CKAGC120 CKAGC130
  CKAGC135 CKAGC150 CKAGC180 CKAGC230 CKAGC250 CKAGC260 CKAGC350
  CKAGHC01 CKAGIC01 CKAGR680 CKAGR690 CKAGR760 CKAGTC70 CKAGWM54
  CKAGZU22 CKAO@20C CKAOUCMP CKAP@DEF CKAP@20  CKAPB722 CKAZCUST
  CKRDB2R  CKRINPZ  CKROURAC CKTG@6   C2PEPCIM
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R211 PSY UA75888

     UP14/12/18 P F412

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.