IBM Support

OA46742: UNABLE TO SUPPRESS OR CUSTOMIZE STANDARD COMPLIANCE SETS SHIPPED WITH ZSECURE AUDIT.

A fix is available

Obtain the fix for this APAR.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Unable to suppress or customize standard compliance sets shipped
with zSecure Audit.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED: Users of zSecure Audit exploiting the        *
*                 Compliance Testing Framework (interactive    *
*                 option AU.R).                                *
****************************************************************
* PROBLEM DESCRIPTION: The zSecure Audit Compliance Testing    *
*                      Framework (STIG subset) might use more  *
*                      storage than intended. Users might      *
*                      also find it impossible to suppress     *
*                      existing compliance rules or add new    *
*                      ones without editing the related CARLa  *
*                      members.                                *
****************************************************************
* RECOMMENDATION: Apply the PTF provided.                      *
****************************************************************
This APAR addresses following issues related to the zSecure
Audit Compliance Testing Framework:
 - STIG subset compliance report uses more storage than
   intended;
 - a customization support to suppress existing rules or add new
   ones was added in zSecure 2.1.1, but oddly requires users to
   edit the corresponding CARLa members, which is not intended;
 - prerequisites to run the PCI-DSS subset are not clearly
   documented;
 - use of the CKACUST(CLASSIFY) member is also not properly
   documented;
 - ABENDU0991 might be issued when RESOURCE_LOCATION field from
   the newlist type RACF_ACCESS is referenced;
 - Domain merge between racf_access and cics_program produces
   invalid resource ?CPGM?;
 - VTAM_APPL produces ?VTAP?;
 - STIG Control CKAGR690  produces duplicate records;
 - MSGCKR0424 04 Warning has ambiguous AND/OR usage;
 - CKAGC040 selection doesn't produce results;
 - CKAGC260/350 should use CLASS=FACILITY within domain;
 - PCI 7.2.2 (CKAPB722) incomplete when included to PCI subset;

    



Problem conclusion


    

  • The zSecure Audit Compliance Testing Framework has been modified
so that:
 - STIG subset compliance report uses less storage;
 - CKACUST members are added to provide customization support.
   Run the updated CKAZCUST sample job in the SCKRSAMP library
   to allocate the new %%%%@INS and %%%%@IDF members and use
   them to suppress existing rules or add new ones to the
   supported standards;
 - the SUPPRESS and SIMULATE CARLa command are now allowed
   within a STANDARD/ENDSTANDARD block, to SUPPRESS rule/rule
   sets and to SIMULATE sensitive resources in the scope of a
   defined standard;
 - CPGM objects are now resolved with CLASS 'CICSProg' and
   the program name as RESOURCE;
 - VTAP objects are now resolved with CLASS 'VTAMAPPL' and the
   LU name as RESOURCE;
 - raclist_merge=no added to the emergency_oper DOMAIN to
   prevent generation of duplicate records;
 - fixed CKR0424 warning message in CKAGCI41 control;
 - CKAG@DEF: Now includes SIMULATE statements to populate
   CKAGC020, CKAGC030, CKAGC040, and CKAGC050 domains;
 - CKAGC260, CKAGC350: Domains are now restricted to select
   CLASS=FACILITY to avoid conflicts with SIMULATE commands;
 - the PCI 7.2.2 CKAPB722 control member is now fully included;
211Y
C2AG@6
C2AP@20

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    OA46742
    • 

  • Reported component name
    AUDIT-R,A,T ACF
    • 

  • Reported component ID
    5655T0200
    • 

  • Reported release
    211
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-12-15
    • 

  • Closed date
    2014-12-17
    • 

  • Last modified date
    2015-01-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
OA46727
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
UA75889
    

    • 



Modules/Macros


    

  •    C2AG@6   C2AP@20

    



Fix information


    

  • Fixed component name
    AUDIT-R,A,T ACF
    • 

  • Fixed component ID
    5655T0200
    • 



Applicable component levels


    

  • R211  PSY  UA75889
       UP14/12/18  P  F412
    • 



Fix is available


    

  • Select the PTF appropriate for your component level.
You will be required to sign in. Distribution on physical
media is not available in all countries.
    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRQGZ","label":"IBM Security zSecure Audit for ACF2"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 January 2015
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback