STIGQter: STIG Summary: IBM z/OS TSS Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

Duplicated IBM z/OS sensitive utilities and/or programs must not exist in APF libraries.

DISA Rule

SV-223997r561402_rule

Vulnerability Number

V-223997

Group Title

SRG-OS-000095-GPOS-00049

Rule Version

TSS0-OS-000010

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Review and ensure that duplicate sensitive utility(ies) and/or program(s) do not exist in APF-authorized libraries. Identify all versions of the sensitive utilities contained in APF-authorized libraries listed in the above check. In cases where duplicates exist, ensure no exposure has been created and written justification has been filed with the ISSO.

Comparisons among all the APF libraries will be done to ensure that an exposure is not created by the existence of identically named modules. Address any sensitive utility concerns so that the function can be restricted as required.

Check Contents

From an ISPF Command line enter:
TSO ISRDDN APF

An APF List results. On the Command line enter:
DUPlicates (Make sure there is appropriate access. If there is not, you may receive insufficient access errors.)

If any of the list of Sensitive Utilities exist in the duplicate APF modules returned, this is a finding.

The following list contains Sensitive Utilities that will be checked.

AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP
BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL
CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP
HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT
IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE
IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS
L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV
TMSREMOV TMSTPNIT TMSUDSNB

Vulnerability Number

V-223997

Documentable

False

Rule Version

TSS0-OS-000010

Severity Override Guidance

From an ISPF Command line enter:
TSO ISRDDN APF

An APF List results. On the Command line enter:
DUPlicates (Make sure there is appropriate access. If there is not, you may receive insufficient access errors.)

If any of the list of Sensitive Utilities exist in the duplicate APF modules returned, this is a finding.

The following list contains Sensitive Utilities that will be checked.

AHLGTF AMASPZAP AMAZAP AMDIOCP AMZIOCP
BLSROPTR CSQJU003 CSQJU004 CSQUCVX CSQUTIL
CSQ1LOGP DEBE DITTO FDRZAPOP GIMSMP
HHLGTF ICKDSF ICPIOCP IDCSC01 IEHINITT
IFASMFDP IGWSPZAP IHLGTF IMASPZAP IND$FILE
IOPIOCP IXPIOCP IYPIOCP IZPIOCP WHOIS
L052INIT TMSCOPY TMSFORMT TMSLBLPR TMSMULV
TMSREMOV TMSTPNIT TMSUDSNB

Check Content Reference

M

Target Key

4102

Comments