STIGQter STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: A CMP (Change Management Process) is not being utilized on this system.

DISA Rule

SV-82r2_rule

Vulnerability Number

V-82

Group Title

AAMV0010

Rule Version

AAMV0010

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

The systems programmer responsible for supporting changes to the software will ensure that all changes and updates are tracked and maintained using a CMP. Obtain/locate all applicable SMP/E data sets (e.g., CSI, PTS, etc.). Ensure that all entries contained in the SMP/E configuration are matched with the operating system environment. Verify with the Systems programmer that the components of the operating system are controlled through a CMP.
Note: Many systems are created from a base system that is controlled by a change management program. Be sure to note that the system has been maintained based on this process.

Check Contents

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(SMPERPT)

b) Invoke the CA-EXAMINE application from within ISPF/PDF. This is typically done by executing %EXAMINE from ISPF/PDF option 6.

From the CA EXAMINE primary menu, enter 2.3.3 from the command line to display the INSTALLED PRODUCTS SELECTION menu. Enter a hyphen (-) for all optional search criteria fields and a valid SMP/E CSI name. Repeat this step for all applicable SMP/E CSI names.

NOTE 1: CSI names can be obtained from the SMPERPT report or by leaving the CSI name field blank and allowing CA-EXAMINE to compile a list of cataloged CSI data sets from which to choose.

NOTE 2: SMP/E CSIs may not be present on this domain. If the site uses another domain to install products via SMP/E, and then copies the SMP/E product installation libraries to this domain, this is acceptable.

Review the domain where the SMP/E environment resides and compare it against the domain being reviewed for compliance.

The z/OS Vendor recommends that all products with the capability for installation via IBM’s SMP/E process will be installed and maintained using that process.

c) If the entries contained in the SMP/E CSIs accurately reflect the operating system software environment, there is NO FINDING.

d) If the entries contained in the SMP/E CSIs do not accurately reflect the operating system software environment, this is a FINDING.

Vulnerability Number

V-82

Documentable

False

Rule Version

AAMV0010

Severity Override Guidance

a) Refer to the following report produced by the z/OS Data Collection:

- EXAM.RPT(SMPERPT)

b) Invoke the CA-EXAMINE application from within ISPF/PDF. This is typically done by executing %EXAMINE from ISPF/PDF option 6.

From the CA EXAMINE primary menu, enter 2.3.3 from the command line to display the INSTALLED PRODUCTS SELECTION menu. Enter a hyphen (-) for all optional search criteria fields and a valid SMP/E CSI name. Repeat this step for all applicable SMP/E CSI names.

NOTE 1: CSI names can be obtained from the SMPERPT report or by leaving the CSI name field blank and allowing CA-EXAMINE to compile a list of cataloged CSI data sets from which to choose.

NOTE 2: SMP/E CSIs may not be present on this domain. If the site uses another domain to install products via SMP/E, and then copies the SMP/E product installation libraries to this domain, this is acceptable.

Review the domain where the SMP/E environment resides and compare it against the domain being reviewed for compliance.

The z/OS Vendor recommends that all products with the capability for installation via IBM’s SMP/E process will be installed and maintained using that process.

c) If the entries contained in the SMP/E CSIs accurately reflect the operating system software environment, there is NO FINDING.

d) If the entries contained in the SMP/E CSIs do not accurately reflect the operating system software environment, this is a FINDING.

Check Content Reference

M

Responsibility

Systems Programmer

Target Key

106

Comments