A fix is available
APAR status
Closed as program error.
Error description
Unable to suppress or customize standard compliance sets shipped with zSecure Audit.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Audit exploiting the * * Compliance Testing Framework (interactive * * option AU.R). * **************************************************************** * PROBLEM DESCRIPTION: The zSecure Audit Compliance Testing * * Framework (STIG subset) might use more * * storage than intended. Users might * * also find it impossible to suppress * * existing compliance rules or add new * * ones without editing the related CARLa * * members. * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** This APAR addresses following issues related to the zSecure Audit Compliance Testing Framework: - STIG subset compliance report uses more storage than intended; - a customization support to suppress existing rules or add new ones was added in zSecure 2.1.1, but oddly requires users to edit the corresponding CARLa members, which is not intended; - prerequisites to run the PCI-DSS subset are not clearly documented; - use of the CKACUST(CLASSIFY) member is also not properly documented; - ABENDU0991 might be issued when RESOURCE_LOCATION field from the newlist type RACF_ACCESS is referenced; - Domain merge between racf_access and cics_program produces invalid resource ?CPGM?; - VTAM_APPL produces ?VTAP?; - STIG Control CKAGR690 produces duplicate records; - MSGCKR0424 04 Warning has ambiguous AND/OR usage; - CKAGC040 selection doesn't produce results; - CKAGC260/350 should use CLASS=FACILITY within domain; - PCI 7.2.2 (CKAPB722) incomplete when included to PCI subset;
Problem conclusion
The zSecure Audit Compliance Testing Framework has been modified so that: - STIG subset compliance report uses less storage; - CKACUST members are added to provide customization support. Run the updated CKAZCUST sample job in the SCKRSAMP library to allocate the new %%%%@INS and %%%%@IDF members and use them to suppress existing rules or add new ones to the supported standards; - the SUPPRESS and SIMULATE CARLa command are now allowed within a STANDARD/ENDSTANDARD block, to SUPPRESS rule/rule sets and to SIMULATE sensitive resources in the scope of a defined standard; - CPGM objects are now resolved with CLASS 'CICSProg' and the program name as RESOURCE; - VTAP objects are now resolved with CLASS 'VTAMAPPL' and the LU name as RESOURCE; - raclist_merge=no added to the emergency_oper DOMAIN to prevent generation of duplicate records; - fixed CKR0424 warning message in CKAGCI41 control; - CKAG@DEF: Now includes SIMULATE statements to populate CKAGC020, CKAGC030, CKAGC040, and CKAGC050 domains; - CKAGC260, CKAGC350: Domains are now restricted to select CLASS=FACILITY to avoid conflicts with SIMULATE commands; - the PCI 7.2.2 CKAPB722 control member is now fully included; 211Y C2AG@6 C2AP@20
Temporary fix
Comments
APAR Information
APAR number
OA46742
Reported component name
AUDIT-R,A,T ACF
Reported component ID
5655T0200
Reported release
211
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-12-15
Closed date
2014-12-17
Last modified date
2015-01-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA75889
Modules/Macros
C2AG@6 C2AP@20
Fix information
Fixed component name
AUDIT-R,A,T ACF
Fixed component ID
5655T0200
Applicable component levels
R211 PSY UA75889
UP14/12/18 P F412
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRQGZ","label":"IBM Security zSecure Audit for ACF2"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
02 January 2015