STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: IBM z/OS RACF Security Technical Implementation Guide Version: 8 Release: 3 Benchmark Date: 23 Apr 2021:SV-223783r604139_rule
V-223783
SRG-OS-000368-GPOS-00154
RACF-OS-000270
CAT II
10
Review all entries contained in the LPA members for the actual existence of each library. Develop a plan of action to correct deficiencies.
The system Link Pack Area (LPA) is the component of MVS that maintains core operating system functions resident in main storage. A security concern exists when libraries from which LPA modules are obtained require APF authorization.
Control over residence in the LPA is specified within the operating system in the following members of the data set SYS1.PARMLIB:
-LPALSTxx specifies the names of libraries to be concatenated to SYS1.LPALIB when the LPA is generated at IPL in an MVS/XA or MVS/ESA system. (The xx is the suffix designated by the LPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at system initial program load [IPL].)
-IEAFIXxx specifies the names of modules from SYS1.SVCLIB, the LPALSTxx concatenation, and the LNKLSTxx concatenation that are to be temporarily fixed in central storage in the Fixed LPA (FLPA) for the duration of an IPL. (The xx is the suffix designated by the FIX parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.)
-IEALPAxx specifies the names of modules that will be loaded from the following:
? SYS1.SVCLIB
? The LPALSTxx concatenation
? The LNKLSTxx concatenation as a temporary extension to the existing Pageable
LPA (PLPA) in the Modified LPA (MLPA) for the duration of an IPL. (The xx is the suffix designated by the MLPA parameter in the IEASYSxx member of SYS1.PARMLIB or overridden by the computer operator at IPL.)
Use the following recommendations and techniques to control the exposures created by the LPA facility:
-The LPALSTxx, IEAFIXxx, and IEALPAxx members will contain only required libraries. On a semiannual basis, Software Support should review the volume serial numbers, and should verify them in accordance with the system catalog. Software Support will remove all nonexistent libraries. The ISSO should modify and/or delete the rules associated with these libraries.
From and ISPF Command line enter:
TSO ISRDDN LPA
Review the list, if there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.
V-223783
False
RACF-OS-000270
From and ISPF Command line enter:
TSO ISRDDN LPA
Review the list, if there are any DUMMY entries i.e., inaccessible LPA libraries, this is a finding.
M
4101