STIGQter: STIG Summary: z/OS RACF STIG Version: 6 Release: 43 Benchmark Date: 24 Jan 2020: The review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.

DISA Rule

SV-86r4_rule

Vulnerability Number

V-86

Group Title

AAMV0060

Rule Version

AAMV0060

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.
• CCI-001829 - The organization reviews information system privileges per an organization-defined frequency.
• CCI-002736 - The organization allows execution of binary or machine-executable code obtained from sources with limited or no warranty and without the provision of source code only with the explicit approval of organization-defined personnel or roles.

Weight

10

Fix Recommendation

The IAO working with the systems programmer will ensure that documentation and/or source code are available for AC=1 modules that reside in the APF Authorized libraries.

Documentation for Vendor APF Authorized libraries identifying the integrity and justification will be available. Examples of this type of documentation can be in the form of product installation guides or product system programming guides.

Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification will be available.

A review of the above documentation and/or source will be performed on an annual basis.

Check Contents

Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(APFXRPT)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(AAMV0060)

Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding.

___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.

Vulnerability Number

V-86

Documentable

True

Rule Version

AAMV0060

Severity Override Guidance

Refer to the following reports produced by the z/OS Data Collection:

- EXAM.RPT(APFXRPT)

Automated Analysis requires Additional Analysis.
Refer to the following report produced by the Data Set and Resource Data Collection:

- PDI(AAMV0060)

Verify that AC=1 modules identified in the APF Authorized data sets specified in EXAM.RPT(APFXRPT) have documentation and/or source code. If the following guidance is true, this is not a finding.

___ Documentation for Vendor APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Documentation and source code for non-vendor AC=1 modules in APF Authorized libraries identifying the integrity and justification are maintained by the IAO.

___ Review of all Vendor and non-vendor AC=1 modules in APF Authorized libraries will be reviewed on an annual basis.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

106

Comments