STIG ID - BACF1004: LNKAUTH=APFTAB is Not Specified in the IEASYSxx Member

Severity
: 2 - Medium
The data set SYS1.PARMLIB members IEAAPFxx and PROGxx are used to specify the library names and the volumes where they reside. Failure to specify LINKAUTH=APFTAB allows libraries other than those designated as APF to contain authorized modules which can bypass security and violate the integrity of the operating system environment.
This STIG article shows how to specify the LNKAUTH-APFTAB using
Auditor
.
The organization will ensure that the LNKAUTH=APFTAB is specified in the IEASYSxx members in the currently active parmlib data sets.
Identify Audit Finding
Review the following data to determine if you should consider remediation.
Follow these steps
:
  1. Verify that the LNKAUTH=APFTAB is specified in the IEASYSxx members in the currently active parmlib data sets.
    1. Select option 2 from the Primary menu. The System Installation Choices menu is displayed.
    2. Select option 1 to display the Parmlib Information screen.
    3. Type S to select the SYS1.PARMLIB data set.
    4. Type B to browse the IEASYSxx member.
      Verify that the LNKAUTH=APFTAB is specified in the IEASYSxx member. If specified, then only modules in libraries in the APF list are authorized.
      BROWSE - SYS1.PARMLIB(IEASYSxx) COMMAND ===> SCROLL ===> PAGE LNKAUTH=APFTAB
  2. If LNKATH=APFTAB is specified in the iEASYSxx member,
    your organization does not have an audit finding
    .
  3. If LNKATH=APFTAB is specified not in the iEASYSxx member,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
The z/OS System/LPAR Level Mainframe Security Team (ZSECTEAM) will review all installed software for authorization requirements and include only libraries with this requirement in the APF designation.
Follow these steps:
  1. Review all installed software for authorization requirements. Identify and include only libraries with this requirement in the APF designation.
  2. Change LINKAUTH=LNKLST to LINKAUTH=APFTAB in all IEASYSxx members. All APF libraries are specified in the IEAAPFXxx and PROGxx members of parmlib.
    An entire library is listed as authorized, not just the individual modules.
    EDIT --- SYS1.PARMLIB(IEASYSxx) - 01.01 ---------------------columns 001 072 Command ====> SCROLL ===> CSR LNKAUTH=APFTAB
Validating that all sensitive and critical system data sets are protected from unauthorized access across all systems that have access to the shared volume is critical to the security and integrity of your organization's data.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG.  For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000381, CCI-001762, CCI-002283
CCI
:
CCI-000381
Published Date
:
2009-09-18
Definition
:
The organization configures the information system to provide only essential capabilities.
Type
:
technical
References
:
NIST: NIST SP 800-53 (v3): CM-7
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 a
NIST: NIST SP 800-53A (v1): CM-7.1 (ii)
CCI
:
CCI-001762
Published Date
:
21013-02-28
Type
:
technical
Definition
:
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
References
:
NIST: NIST SP 800-53 Revision 4 (v4): CM-7 (1) (b)
CCI
:
CCI-002283
Published Date
:
2013-06-24
Definition
:
The information system maintains the integrity of organization-defined security attributes associated with organization-defined subjects.
Type
:
technical
References
NITS: NIST SP 800-53 Revision 4 (v4): AC-16 (3)