A fix is available
APAR status
Closed as program error.
Error description
Cannot make the two rules (RACF0590/CKAGR590 and ZJES0060/CKAGJE60) compliant at the same time. - RACF0590 uses PRODAUDT to hold a list of IDs with discrete surrogate profiles, ie the ID part of am <ID>.SUBMIT profile in the SURROGAT class. - ZJES0060 uses PRODAUDT to hold a list of IDs which are permitted to be on the ACL of <ID>.SUBMIT profiles, eg TWS or similar. These groups are distinct, so if PRODAUDT is populated with a list of discrete surrogate profile IDs, then RACF0590 is compliant but ZJES0060 is non-compliant. If it's populated with a list of authorised job submitters, then it's the other way round, ie ZJES0060 is compliant but RACF0590 is non-compliant.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of zSecure Audit exploiting STIG * * compliance rules ZJES0060, RACF0710, and * * PCI-DSS compliance rule 7.2.3. * **************************************************************** * PROBLEM DESCRIPTION: The zSecure Audit STIG compliance rule * * ZJES0060 might produce an incorrect * * result. The compliance rule RACF0710 * * has a typo in its caption. Invoking * * the PCI-DSS compliance rule 7.2.3 * * results in MSGCKR2445. * **************************************************************** * RECOMMENDATION: Apply the PTF provided. * **************************************************************** The zSecure Audit Compliance Testing framework has following issues: - the STIG compliance rule ZJES0060 (Surrogate users must be controlled in accordance with proper security requirements) uses the same ID customization member as the STIG compliance rule RACF0590 (RACF batch jobs must be properly secured) resulting in an compliance conflict between these to rules; - the STIG compliance rule has a typo in its caption; - running PCI-DSS compliance rule 7.2.3 results in MSGCKR2445 which states "SET(7.2.3_default_access) has been specified, but no RULE_SET 7.2.3_default_access exists";
Problem conclusion
zSecure Audit has been modified, so that the issues addressed by this APAR are resolved. Please note the documentation changes as specified by the APAR tracking comment data. 211Y 220Y CKAG@DEF CKAGJE60 CKAGR710 CKAIRULE CKAPC723 CKAZCUST
Temporary fix
Comments
APAR Information
APAR number
OA49262
Reported component name
AUDIT-R,A,T ACF
Reported component ID
5655T0200
Reported release
211
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-11-03
Closed date
2016-02-03
Last modified date
2016-03-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
UA80573 UA80574
Modules/Macros
CKAG@DEF CKAGJE60 CKAGR710 CKAIRULE CKAPC723 CKAZCUST
Fix information
Fixed component name
ZSEC BASE,ADMIN
Fixed component ID
5655T0100
Applicable component levels
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"211","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
16 August 2024