STIG ID - BACF1021: Limit Access to APF-Authorized Libraries

Severity:
1 - High
The Authorized Program Facility (APF) designates the libraries that can contain program modules which possess a significant capability to bypass system and security controls. Unauthorized access could compromise the operating system environment, External Security Manager (ESM), applications, and customer data.
The organization must ensure that update or greater access to all APF-authorized libraries is limited to system programmers based upon documented roles performed. Additionally, the organization must ensure that all update or greater access is logged. To reduce risk, only authorize greater than read access to APF load libraries during times of approved change
This STIG article shows how to identify your APF load libraries that are not protected properly and how to remove access from unauthorized ACIDs. Ensure that access is logged using the procedure in this article.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps:
  1. Review access to AFP-authorized libraries and ensure the following:
    • Write or greater access is limited to system programmers.
    • Read access to other users as needed.
    • All write or greater access to APF-authorized libraries is logged.
    TSO ACFUNIX "ACCESS DSN('SYS1.LPALIB')" ACCESS Subcommand Results as of 07/29/20-12:18 for: SYS1.LPALIB $Key: SYS1 Ruleline: LPALIB READ(A) WRITE(L) ALLOC(L) EXEC(A) ACCESS Subcommand Results as of 08/20/20-12:02 for: SYS3.LPADLIB $Key: SYS1 Ruleline: LPALIB UID(A) READ(A) WRITE(L) ALLOC(L) EXEC(A) Lids: SYSPRG1 SYSPRG2 SYSPRG3 SYSPRG4 SYSPRG5 SYSPRG6 Ruleline: LPALIB UID(*) READ(A) EXEC(A) Lids: All logonids
    SYS1.LPALIB is one of many APF authorized libraries found on a z/OS system.
  2. Review the output, ensuring the following:
    • Only system programmers have writer or greater access.
    • All access greater than read is logged.
  3. If update and alter access to all APF-authorized libraries is limited to system programmers and activity is logged,
    your organization does not have an audit finding.
  4. If update and alter access to all APF-authorized libraries are not limited to system programmers and activity is not logged,
    your organization has an audit finding.
    See Remediate Audit Findings.
Remediate Audit Finding
The Information System Security Officer (ISSO) is responsible for ensuring that update and alter access to the APF-authorized libraries is limited to only system programmers and all update and alter access is logged.
Follow these steps:
  1. Evaluate the impact of correcting the deficiency and develop a plan of action to implement the required changes.
  2. Implement controls to specify that only system programmers are authorized to write and alter APF-authorized libraries and that all activity is logged:
    RECKEY SYS1 ADD(LPALIB UID(*****SYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A))
    or,
    RECKEY SYS1 ADD(LPALIB ROLE(ZSYSPROG) READ(A) WRITE(L) ALLOC(L) EXEC(A))
Implementing controls to the APF-authorized libraries protects your organization's operating system environment, external security manager, and customer data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000213, CCI-001499, CCI-002234
CCI
:
CCI-000213
Published Date
:
2009-09-14
Definition
:
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): AC-3
NIST: NIST SP 800-53A (v1): AC-3.1
CCI
:
CCI-001499
Published Date
:
2009-09-29
Definition
:
The organization limits privileges to change software resident within software libraries.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-5 (6)
NIST: NIST SP 800-53 Revision 4 (v4): CM-5 (6)
NIST: NIST SP 800-53A (v1): CM-5 (6).1
CCI
:
CCI-002234
Published Date
:
2013-06-24
Definition
:
The information system audits the execution of privileged functions.
Type
:
technical
References
:
NIST: NIST SP 800-53 Revision 4 (v4): AC-6 (9)