OA63748: STIG ACP00282 DOES NOT TAKE INTO CONSIDERATION PROFILES WHICH ARE LESS GENERIC THAN THE MVS.START.STC.MMMMMMMM.SSSSSSSS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• STIG ACP00282 does not take into consideration profiles which
  are less generic than the MVS.START.STC.mmmmmmmm.ssssssss
  
  It is expected that zSecure will examine any profile that should
  cover a resource. For example, MVS.START.STC.mbrname.jobname
  
  
  However zSecure does not take into account profiles which are
  more specific than the generic MVS.START.STC.** profile.
  
  zSecure should take the less generic profiles into consideration
  when performing the compliance check in order to find profiles
  that are not compliant
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit exploiting the STIG   *
  *                 ACP00282 compliance rule set and newlist     *
  *                 type RESOURCE.                               *
  ****************************************************************
  * PROBLEM DESCRIPTION: zSecure Audit RACF STIG compliance rule *
  *                      set ACP00282 (z/OS system operator      *
  *                      commands must be protected properly)    *
  *                      might generate incorrect results.       *
  *                      Newlist type RESOUCE might incorrectly  *
  *                      report the RACF profile (field          *
  *                      RACF_PROFILE) that covers resources in  *
  *                      the OPERCMDS class.                     *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided.                      *
  ****************************************************************
  zSecure Audit does not take most specific generic RACF profiles
  protecting resources in the OPERCMDS class into account
  resulting in incorrect compliance reports generated by the STIG
  ACP00282 compliance rule set and incorrect RACF profile reported
  by the newlist type RESOURCE.
  

Problem conclusion

• zSecure Audit has been modified so that it correctly processes
  most specific generic RACF profiles protecting resources in the
  OPERCMDS class, so that the ACP00282 compliance rule set
  produces correct results and newlist type RESOURCE displays a
  correct RACF profile protecting resources in the OPERCMDS class.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  OA62915

• APAR is sysrouted TO one or more of the following:

  UJ09226

Modules/Macros

• CKACFEA  CKADQRZ  CKAGSENS CKASENI  CKASERI  CKRESRC  CKRINPM
  CKRMAIN  CKRVERIF GKRCFEA  GKRESRC  GKRGSENS GKRINPM  GKRMAIN
  GKRSENI  GKRSERI  GKRVERIF
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R250 PSY UJ09226

     UP22/09/17 P F209

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.