STIGQter STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS must not allow non-existent or inaccessible Link Pack Area (LPA) libraries.

DISA Rule

SV-223563r533198_rule

Vulnerability Number

V-223563

Group Title

SRG-OS-000368-GPOS-00154

Rule Version

ACF2-OS-000270

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies.

The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization.

Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB:

- LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].)

- IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.)

- IEALPAxx specifies the names of modules that will be loaded from the following:

? SYS1.SVCLIB
? The LPALSTxx concatenation
? The LNKLSTxx concatenation as a temporary extension to the existing Pageable

LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.)

Use the following recommendations and techniques to control the exposures created by the LPA facility:

-The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all non-existent libraries. The ISSO should modify and/or delete the rules associated with these libraries.

Check Contents

From and ISPF Command line enter:
TSO ISRDDN LPA

Review the list.

If there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.

Vulnerability Number

V-223563

Documentable

False

Rule Version

ACF2-OS-000270

Severity Override Guidance

From and ISPF Command line enter:
TSO ISRDDN LPA

Review the list.

If there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.

Check Content Reference

M

Target Key

4100

Comments