STIGQter STIGQter: STIG Summary: z/OS ACF2 STIG

Version: 6

Release: 43 Benchmark Date: 24 Jan 2020

CheckedNameTitle
SV-1r2_ruleThere are started task LOGONIDs with the NON-CNCL attribute specified In the associated LOGONID record that are not listed as trusted and have not been specifically approved.
SV-2r3_ruleThe LOGONIDs specified In GSO MAINT records will have the JOB and MAINT attributes specified In the associated LOGONID record.
SV-23r2_ruleThe REFRESH attribute must be restricted.
SV-31r5_ruleDFSMS resources must be protected in accordance with the proper security requirements.
SV-34r3_ruleSystem programs (e.g., exits, SVCs, etc.) must have approval of appropriate authority and/or documented correctly.
SV-36r8_ruleDynamic lists must be protected in accordance with proper security requirements.
SV-44r3_ruleCICS region logonid(s) must be defined and/or controlled in accordance with the security requirements.
SV-54r5_ruleSurrogate users must be controlled in accordance with the proper requirements.
SV-82r2_ruleA CMP (Change Management Process) is not being utilized on this system.
SV-83r2_ruleLNKAUTH=APFTAB is not specified in the IEASYSxx member(s) in the currently active parmlib data set(s).
SV-84r2_ruleInaccessible APF libraries defined.
SV-85r2_ruleDuplicated sensitive utilities and/or programs exist in APF libraries.
SV-86r4_ruleThe review of AC=1 modules in APF authorized libraries must be reviewed annually and documentation verifying the modules integrity must be available.
SV-90r2_ruleInapplicable PPT entries have not been invalidated.
SV-100r2_ruleNon-existent or inaccessible LINKLIST libraries.
SV-101r2_ruleNon-standard SMF data collection options specified.
SV-102r5_ruleRequired SMF data record types must be collected.
SV-103r2_ruleAn automated process is not in place to collect and retain SMF data.
SV-104r2_ruleACP database is not on a separate physical volume from its backup and recovery datasets.
SV-105r2_ruleACP database is not backed up on a scheduled basis.
SV-106r2_ruleSystem DASD backups are not performed on a regularly scheduled basis.
SV-107r2_rulePASSWORD data set and OS passwords are utilized.
SV-108r2_ruleSYS1.PARMLIB is not limited to only system programmers.
SV-109r2_ruleAccess to SYS1.LINKLIB is not properly protected.
SV-110r3_ruleWrite or greater access to SYS1.SVCLIB must be limited to system programmers only.
SV-111r4_ruleWrite or greater access to SYS1.IMAGELIB must be limited to system programmers only.
SV-112r3_ruleWrite or greater access to SYS1.LPALIB must be limited to system programmers only.
SV-113r2_ruleUpdate and allocate access to all APF -authorized libraries are not limited to system programmers only.
SV-114r3_ruleWrite or greater access to all LPA libraries must be limited to system programmers only.
SV-115r3_ruleWrite or greater access to SYS1.NUCLEUS must be limited to system programmers only.
SV-116r3_ruleWrite or greater access to libraries that contain PPT modules must be limited to system programmers only.
SV-117r2_ruleUpdate and allocate access to LINKLIST libraries are not limited to system programmers only.
SV-118r6_ruleThe ACP security data sets and/or databases must be properly protected.
SV-119r4_ruleAccess greater than Read to the System Master Catalog must be limited to system programmers only.
SV-120r2_ruleUpdate and allocate access to all system-level product installation libraries are not limited to system programmers only.
SV-121r2_ruleUpdate and allocate access to the JES2 System data sets (e.g., Spool, Checkpoint, and Initialization parameters) are not limited to system programmers only.
SV-122r3_ruleWrite or greater access to SYS1.UADS must be limited to system programmers only and read and update access must be limited to system programmer personnel and/or security personnel.
SV-123r2_ruleUpdate and allocate access to SMF collection files (i.e., SYS1.MANx) are not limited to system programmers and/or batch jobs that perform SMF dump processing.
SV-124r2_ruleUpdate and allocate access to data sets used to backup and/or dump SMF collection files are not limited to system programmers and/or batch jobs that perform SMF dump processing.
SV-125r2_ruleAccess to SYSTEM DUMP data sets are not limited to system programmers only.
SV-126r2_ruleUpdate and allocate access to System backup files are not limited to system programmers and/or batch jobs that perform DASD backups.
SV-127r2_ruleAccess to SYS(x).TRACE is not limited to system programmers only.
SV-128r2_ruleAccess to System page data sets (i.e., PLPA, COMMON, and LOCALx) are not limited to system programmers.
SV-129r3_ruleWrite or greater access to Libraries containing EXIT modules must be limited to system programmers only.
SV-130r3_ruleThe APPLDEF GSO record if used must have supporting documentation indicating the reason it was used.
SV-131r2_ruleThe AUTHEXIT GSO record value is used to define an extended user authentication exit at TSO logon, for Operator Identification (OID) card usage. DISA requires the use of NCPASS on all of its domains. DISA sites require the use of AUTHEXIT for other non DISA sites this value is optional.
SV-132r4_ruleThe AUTOERAS GSO record value must be set to indicate that ACF2 is controlling the automatic physical erasure of VSAM or non VSAM data sets.
SV-133r2_ruleThe BACKUP GSO record value specifies a time field and Time(00:00 ) is not specified unless the database is shared and backed up on another system.
SV-134r2_ruleThe BLPPGM GSO record value indicates that ACF2 does not control the programs authorized to use tape bypass label processing (BLP).
SV-135r2_ruleThe CLASMAP GSO record value translates an eight-character SAF resource class into a three character ACF2 resource type code.
SV-136r3_ruleThe EXITS GSO record value must specify the module names of site written ACF2 exit routines.
SV-138r2_ruleThe LINKLST GSO record value if specified only contains trusted system datasets.
SV-140r2_ruleThe MAINT GSO record value if specified will be restricted to production storage management user accounts and programs.
SV-141r3_ruleThe NJE GSO record value must indicate validation options that apply to jobs submitted through a network job entry subsystem (JES2, JES3, RSCS).
SV-142r4_ruleThe OPTS GSO record value must be set to the values specified.
SV-143r3_ruleThe PPGM GSO record value must indicate protected programs that are only executed by privileged users.
SV-144r3_ruleThe PSWD GSO record values must be set to the values specified in the checks portion below.
SV-48576r3_ruleThe PWPHRASE GSO record must be properly defined.
SV-146r2_ruleThe RESRULE GSO record value is set to NONE any other setting requires documentation justifying the change.
SV-147r2_ruleThe RESVOLS GSO record value is set to Volmask(-). Any other setting requires documentation justifying the change.
SV-148r2_ruleThe RULEOPTS GSO record values are set to the values specified.
SV-149r3_ruleThe SAFDEF GSO record baseline values are not are set to the values previously documented.
SV-150r2_ruleThe SECVOLS GSO record value is set to VOLMASK(). Any local changes are justified and documented with the IAO.
SV-151r2_ruleThe SYNCOPTS GSO record values are set to the values specified.
SV-152r4_ruleThe TSO GSO record values must be set to the values specified.
SV-153r2_ruleThe TSOCRT GSO record values are set to the appropriate values.
SV-154r2_ruleThe TSOKEYS GSO record values specified are not in accordance with security requirements.
SV-155r2_ruleThe TSOTWX GSO record values are set to the values specified.
SV-156r2_ruleThe TSO2741 GSO record values specified are not in accordance with the proper security requirements.
SV-158r3_ruleThere are LOGONIDs defined to ACF2 that do not have the required fields completed.
SV-159r5_ruleInteractive LOGONIDs defined to ACF2 must have the required fields completed.
SV-160r2_ruleThere are batch jobs with restricted LOGONIDs that do not have the PGM(xxxxxxxx) and SUBAUTH attributes or the SOURCE(xxxxxxxx) attribute assigned to the corresponding LOGONIDs.
SV-161r2_ruleThere are LOGONIDs assigned for started tasks that do not have the STC attribute specified in the associated LOGONID record.
SV-162r2_ruleThere are LOGONIDs associated with started tasks that have the MUSASS requirement but do not have both the MUSASS and NO-SMC specified in corresponding LOGONID records.
SV-163r2_ruleThere are LOGONIDs associated with started tasks that have the MUSASS attribute and the requirement to submit jobs on behalf of its users but do not have the JOBFROM attribute as required.
SV-166r2_ruleThere are maintenance LOGONIDs that do not have corresponding GSO MAINT records.
SV-167r2_ruleThere are GSO MAINT records that do not have corresponding maintenance LOGONIDs.
SV-168r3_ruleEmergency LOGONIDs must be properly defined.
SV-169r2_ruleLOGONIDS with the REFRESH attribute must have the SUSPEND attribute specified.
SV-170r2_ruleThere are no procedures to utilize the LOGONID with the REFRESH attribute.
SV-171r2_ruleLOGONIDs with the ACCOUNT, LEADER, or SECURITY attribute must be properly scoped.
SV-172r2_ruleThere are LOGONIDs with the SECURITY attribute that do not have the RULEVLD and RSRCVLD attributes specified.
SV-173r2_ruleThe LOGONID with the ACCTPRIV attribute must be restricted to the IAO.
SV-174r2_ruleThe LOGONIDs with the AUDIT or CONSULT attribute must be properly scoped.
SV-175r2_ruleProcedures are not in place to ensure all LOGONIDs with the READALL attribute are used and controlled.
SV-176r2_ruleThe number of users granted the special privilege TAPE-LBL or TAPE-BLP is not justified or limited.
SV-177r3_ruleThe special privileges must be assigned on an as-needed basis to LOGONIDs associated with STCs and LOGONIDs that need to execute TSO in batch.
SV-178r2_ruleThe number of users granted the special privilege CONSOLE is not justified.
SV-179r2_ruleThe number of users granted the special privilege ALLCMDS is not justified.
SV-180r2_ruleThe number of users granted the special privilege PPGM is not justified.
SV-181r3_ruleThe number of users granted the special privilege OPERATOR must be kept to a strictly controlled minimum.
SV-182r5_ruleMemory and privileged program dumps must be protected in accordance with proper security requirements.
SV-183r3_ruleSensitive Utility Controls will be properly defined and protected.
SV-184r3_ruleLOGONIDs must not be defined to SYS1.UADS for non-emergency use.
SV-234r3_ruleAll system PROCLIB data sets must be limited to system programmers only
SV-251r2_ruleSensitive CICS transactions are not protected in accordance with security requirements.
SV-297r4_ruleTSOAUTH resources must be restricted to authorized users.
SV-302r4_ruleCICS System Initialization Table (SIT) parameter values must be specified in accordance with proper security requirements.
SV-3215r2_ruleConfiguration files for the TCP/IP stack are not properly specified.
SV-3216r4_ruleTCPIP.DATA configuration statements for the TCP/IP stack must be properly specified.
SV-3217r2_rulePROFILE.TCPIP configuration statements for the TCP/IP stack are not coded properly.
SV-3218r4_ruleThe permission bits and user audit bits for HFS objects that are part of the Base TCP/IP component must be configured properly.
SV-3219r5_ruleTCP/IP resources must be properly protected.
SV-3220r3_ruleStarted tasks for the Base TCP/IP component must be defined in accordance with security requirements.
SV-3221r2_ruleMVS data sets for the Base TCP/IP component are not properly protected,
SV-3222r3_rulePROFILE.TCPIP configuration statements for the TN3270 Telnet Server must be properly specified.
SV-3223r4_ruleVTAM session setup controls for the TN3270 Telnet Server must be properly specified.
SV-3224r2_ruleThe warning banner for the TN3270 Telnet Server is not specified or properly specified.
SV-3226r3_ruleSSL encryption options for the TN3270 Telnet Server will be specified properly for each statement that defines a SECUREPORT or within the TELNETGLOBALS.
SV-3227r3_ruleSMF recording options for the TN3270 Telnet Server must be properly specified.
SV-3229r2_ruleThe startup user account for the z/OS UNIX Telnet Server is not defined properly.
SV-3230r2_ruleStartup parameters for the z/OS UNIX Telnet Server are not specified properly.
SV-3231r3_ruleThe warning banner for the z/OS UNIX Telnet Server must be properly specified
SV-3232r3_ruleHFS objects for the z/OS UNIX Telnet Server will be properly protected.
SV-3233r2_ruleThe FTP Server daemon is not defined with proper security parameters.
SV-3234r2_ruleThe startup parameters for the FTP include the ANONYMOUS, ANONYMOUS=, or INACTIVE keywords. The FTP daemon’s started task JCL does not specify the SYSTCPD and SYSFTPD DD statements for configuration files.
SV-3235r2_ruleFTP.DATA configuration statements for the FTP Server are not specified in accordance with requirements.
SV-3236r3_ruleUser exits for the FTP Server must not be used without proper approval and documentation.
SV-3237r3_ruleThe warning banner for the FTP Server must be specified properly.
SV-3238r4_ruleSMF recording options for the FTP Server must be configured to write SMF records for all eligible events.
SV-3239r3_ruleThe permission bits and user audit bits for HFS objects that are part of the FTP Server component will be properly configured.
SV-3240r2_ruleMVS data sets for the FTP Server are not properly protected.
SV-3241r2_ruleThe TFTP Server program is not properly protected.
SV-3242r2_ruleThe Syslog daemon is not started at z/OS initialization.
SV-3243r3_ruleThe Syslog daemon must be properly defined and secured.
SV-3244r3_ruleThe permission bits and user audit bits for HFS objects that are part of the Syslog daemon component will be configured properly.
SV-3331r3_ruleThe ACP audit logs must be reviewed on a regular basis .
SV-3716r2_ruleUser accounts defined to the ACP do not uniquely identify system users.
SV-3895r3_ruleDFSMS control data sets must be protected in accordance with security requirements.
SV-3896r2_ruleSYS(x).Parmlib(IEFSSNxx) SMS configuration parameter settings are not properly specified.
SV-3897r2_ruleMVS data sets for the WebSphere Application Server are not protected in accordance with the proper security requirements.
SV-3898r2_ruleHFS objects for the WebSphere Application Server are not protected in accordance with the proper security requirements.
SV-3899r2_ruleThe CBIND Resource(s) for the WebSphere Application Server is(are) not protected in accordance with security requirements.
SV-3900r3_ruleVendor-supplied user accounts for the WebSphere Application Server must be defined to the ACP.
SV-3901r2_ruleThe WebSphere Application Server plug-in is not specified in accordance with the proper security requirements.
SV-3903r2_ruleUser timeout parameter values for WebSphere MQ queue managers are not specified in accordance with security requirements.
SV-3904r1_ruleWebSphere MQ started tasks are not defined in accordance with the proper security requirements.
SV-3905r2_ruleWebSphere MQ all update and alter access to MQSeries/WebSphere MQ product and system data sets are not properly restricted
SV-4850r3_ruleAllocate access to system user catalogs must be limited to system programmers only.
SV-5605r2_ruleNon-existent or inaccessible Link Pack Area (LPA) libraries.
SV-5627r4_ruleThe hosts identified by the NSINTERADDR statement must be properly protected.
SV-7188r2_ruleCICS startup JCL statement is not specified in accordance with the proper security requirements.
SV-7189r3_ruleSensitive CICS transactions are not protected in accordance with the proper security requirements.
SV-7191r2_ruleSensitive CICS transactions are not protected in accordance with the proper security requirements.
SV-7195r2_ruleAll hardware components of the FEPs are not placed in secure locations where they cannot be stolen, damaged, or disturbed
SV-7196r2_ruleProcedures are not in place to restrict access to FEP functions of the service subsystem from operator consoles (local and/or remote), and to restrict access to the diskette drive of the service subsystem.
SV-7197r2_ruleA documented procedure is not available instructing how to load and dump the FEP NCP (Network Control Program).
SV-7198r2_ruleAn active log is not available to keep track of all hardware upgrades and software changes made to the FEP (Front End Processor).
SV-7199r2_ruleNCP (Net Work Control Program) Data set access authorization does not restricts UPDATE and/or ALLOCATE access to appropriate personnel.
SV-7200r2_ruleA password control is not in place to restrict access to the service subsystem via the operator consoles (local and/or remote) and a key-lock switch is not used to protect the modem supporting the remote console of the service subsystem.
SV-7220r2_ruleJES2 input sources are not controlled in accordance with the proper security requirements.
SV-7221r4_ruleJES2 input sources must be properly controlled.
SV-7222r2_ruleJES2 output devices are not controlled in accordance with the proper security requirements.
SV-7223r3_ruleJES2 output devices must be properly controlled for Classified Systems.
SV-7224r2_ruleJESSPOOL resources are not protected in accordance with security requirements.
SV-7225r2_ruleJESNEWS resources are not protected in accordance with security requirements.
SV-7226r2_ruleJESTRACE and/or SYSLOG resources are not protected in accordance with security requirements.
SV-7227r3_ruleJES2 spool resources will be controlled in accordance with security requirements.
SV-7228r2_ruleJES2.** resource is not protected in accordance with security requirements.
SV-7229r2_ruleJES2 system commands are not protected in accordance with security requirements..
SV-7234r4_ruleSMS Program Resources must be properly defined and protected.
SV-7237r2_ruleDFSMS control data sets are not properly protected.
SV-7238r2_ruleSYS(x).PARMLIB(IGDSMSxx), SMS parameter settings are not properly specified.
SV-7240r2_ruleDFSMS resource type(s) is(are) not defined to the GSO INFODIR record in accordance with security requirements.
SV-7242r2_ruleDFMSM resource class(es) is(are) not defined to the GSO SAFDEF record in accordance with security requirements
SV-7243r2_ruleDFSMS resource class(es) is(are) not defined to the GSO CLASMAP record in accordance with security requirements.
SV-7245r2_rulez/OS UNIX OMVS parameters in PARMLIB are not properly specified.
SV-7246r3_rulez/OS UNIX BPXPRMxx security parameters in PARMLIB must be properly specified.
SV-7247r2_rulez/OS UNIX HFS MapName files security parameters are not properly specified.
SV-7248r2_rulez/OS UNIX security parameters for restricted network service(s) in /etc/inetd.conf are not properly specified.
SV-7250r2_ruleThe VTAM USSTAB definitions are being used for unsecured terminals
SV-7257r2_ruleThe System datasets used to support the VTAM network are not properly secured.
SV-7259r5_ruleWebSphere MQ channel security must be implemented in accordance with security requirements.
SV-7260r2_ruleWebSphere MQ resource classes are not properly activated.
SV-7261r3_ruleWebsphere MQ switch profiles must be properly defined to the MQADMIN class.
SV-7262r2_rulez/OS UNIX security parameters in etc/profile are not properly specified.
SV-7263r3_ruleWebSphere MQ MQCONN Class resources must be protected in accordance with security.
SV-7264r2_rulez/OS UNIX security parameters in /etc/rc not properly specified.
SV-7267r2_ruleWebSphere MQ dead letter and alias dead letter queues are not properly defined.
SV-7268r2_ruleWebSphere MQ queue resource defined to the MQQUEUE resource class are not protected in accordance with security requirements.
SV-7269r2_ruleWebSphere MQ Process resources are not protected in accordance with security requirements.
SV-7270r2_ruleWebSphere MQ Namelist resources are not protected in accordance with security requirements.
SV-7271r2_ruleBPX resource(s) is(are) not protected in accordance with security requirements.
SV-7272r2_ruleWebSphere MQ alternate user resources defined to MQADMIN resource class are not protected in accordance with security requirements.
SV-7273r3_rulez/OS UNIX resources must be protected in accordance with security requirements.
SV-7274r2_ruleWebSphere MQ context resources defined to the MQADMIN resource class are not protected in accordance with security requirements.
SV-7275r3_rulez/OS UNIX SUPERUSER resource must be protected in accordance with guidelines.
SV-7276r2_ruleWebSphere MQ command resources defined to MQCMDS resource class are not protected in accordance with security requirements.
SV-7277r2_rulez/OS UNIX MVS data sets or HFS objects are not properly protected.
SV-7278r2_ruleWebSphere MQ RESLEVEL resources in the MQADMIN resource class are not protected in accordance with security requirements.
SV-7279r2_rulez/OS UNIX MVS data sets WITH z/OS UNIX COMPONENTS are not properly protected
SV-7280r2_rulez/OS UNIX MVS data sets used as step libraries in /etc/steplib are not properly protected
SV-7281r3_rulez/OS UNIX HFS permission bits and audit bits for each directory will be properly protected or specified.
SV-7282r3_rulez/OS UNIX SYSTEM FILE SECURITY SETTINGS will be properly protected or specified.
SV-7283r2_ruleWebSphere MQ channel security is not implemented in accordance with security requirements.
SV-7284r2_rulez/OS UNIX MVS HFS directory(s) with "other" write permission bit set are not properly defined.
SV-7288r2_ruleAttributes of z/OS UNIX user accounts are not defined properly
SV-7289r2_rulez/OS UNIX each group is not defined with a unique GID.
SV-7290r2_ruleThe user account for the z/OS UNIX kernel (OMVS) is not properly defined to the security database.
SV-7291r3_ruleThe user account for the z/OS UNIX SUPERUSER userid must be properly defined.
SV-7292r3_ruleThe user account for the z/OS UNIX (RMFGAT) must be properly defined.
SV-7294r3_ruleUID(0) must be properly assigned.
SV-7295r2_rulez/OS UNIX user accounts are not properly defined.
SV-7296r3_ruleThe GSO UNIXOPTS record must not specify default settings for classified systems.
SV-7297r3_ruleThe GSO UNIXOPTS record must specify CHOWNRES.
SV-7298r2_ruleThe CLASSMAP DEFINITIONS list does not include entires for the FACILITY, SURROGAT, and UNIXPRIV resource classes in accordance with security requirements.
SV-7299r2_ruleThe INFODIR record does not include entries for the FACILITY, SURROGAT, and UNIXPRIV resource classes in accordance with security requirements.
SV-7433r5_ruleAttributes of z/OS UNIX user accounts used for account modeling must be defined in accordance with security requirements.
SV-7475r2_ruleACF2/CICS parameter data sets are not protected in accordance with the proper security requirements.
SV-7523r3_ruleCICS default logonid(s) must be defined and/or controlled in accordance with the security requirements.
SV-7524r3_ruleCICS logonid(s) must be configured with proper timeout and signon limits.
SV-7918r4_rulez/OS system commands must be properly protected.
SV-7923r4_ruleCONSOLxx members must be properly configured.
SV-7924r3_ruleMCS console userid(s) will be properly protected.
SV-7927r3_ruleMCS consoles access authorization(s) for CONSOLE resource(s) must be properly protected.
SV-7930r2_ruleUsers that have access to the CONSOLE resource in the TSOAUTH resource class are not properly defined.
SV-7978r2_ruleCICS system data sets are not properly protected.
SV-8016r3_ruleUnsupported system software is installed and active on the system.
SV-8019r3_ruleSite must have a formal migration plan for removing or upgrading OS systems software prior to the date the vendor drops security patch support.
SV-8031r3_ruleKey ACF2/CICS parameters must be properly coded.
SV-8036r2_ruleUserids found inactive for more than 35 days are not suspended.
SV-8757r2_ruleFTP / Telnet unencryted transmissions require Acknowledgement of Risk Letter(AORL)
SV-15984r2_ruleSite does not maintain documented procedures to apply security related software patches to their system and does not maintain a log of when these patches were applied.
SV-28773r3_rulez/OS Baseline reports are not reviewed and validated to ensure only authorized changes have been made within the z/OS operating system. This is a current DISA requirement for change management to system libraries.
SV-36387r2_rulez/OS USS Software owning Shared accounts do not meet strict security and creation restrictions.
SV-38875r4_ruleIEASYMUP resource will be protected in accordance with proper security requirements.
SV-39518r2_ruleFTP Control cards will be properly stored in a secure PDS file.
SV-41848r5_ruleProduction WebSphere MQ Remotes must utilize Certified Name Filters (CNF)
SV-44220r3_ruleSensitive and critical system data sets exist on shared DASD.
SV-48660r5_ruleThe OPTS GSO record value must be set to the values specified.
SV-80137r3_ruleNIST FIPS-validated cryptography must be used to protect passwords in the security database.
SV-83829r1_ruleAll digital certificates in use must have a valid path to a trusted Certification authority.
SV-83839r1_ruleExpired Digital Certificates must not be used.
SV-83845r1_ruleCertificate Name Filtering must be implemented with appropriate authorization and documentation.
SV-83851r1_ruleThe SSH daemon must be configured to only use the SSHv2 protocol.
SV-83853r1_ruleThe SSH daemon must be configured to use a FIPS 140-2 compliant cryptographic algorithm.
SV-83855r1_ruleThe SSH daemon must be configured with the Department of Defense (DoD) logon banner.
SV-83857r1_ruleSMF recording options for the SSH daemon must be configured to write SMF records for all eligible events.
SV-83859r1_ruleThe SSH daemon must be configured to use SAF keyrings for key storage.
SV-85847r1_ruleLibraries included in the system REXXLIB concatenation must be properly protected.