STIG ID - BACF1006: Validate Program Properties Table Library Entries

Severity
: 2 - Medium
Certain system programs need to run with special powers. For example, programs such as disk pack backup and recovery programs might need to access password-protected data sets without knowing the password. The
Auditor
program properties table (PPT) option lists these programs by name and the special properties assigned to each. If invalid PPT entries exist, systems are open to the introduction of trojan horse modules with security bypass capabilities.
This STIG article provides guidance, using
Auditor
, to ensure that invalid PPT entries do not exist.
Your organization will ensure invalid PPT entries do not exist and if so, take action to fix and avoid future invalid entries.
Identify Audit Finding
Review the following data to determine if you should consider remediation:
Follow these steps
:
  1. Review the program entries in the
    Auditor
    PPT Library Search. The PPT Library Search lets you display specific information about each program that resides in the PPT. This information includes the date that the program was linked to the library or origin, the size of the program, and the library where the program resides. To display the PPT Library Search:
    1. Select option 3 from the Primary Menu.
      The z/OS Technical Information screen is displayed.
    2. Select option 6.
      The Program Properties Table Analysis panel is displayed.
    3. Type S (Select) next to one or more PPT programs to request the search.
      The PPT Library panel is displayed. You cannot enter information on this panel. You can browse the program by typing B next to it or freeze it by entering F.
    4. For all programs not found on the operating system (for example, missing link date, size, volume, and library name), review their corresponding entires in the
      Auditor
      Program Properties table.
  2. Compare all programs not found on the operating system (for example, missing link date, size, volume, and library name), review their corresponding entries in the
    Auditor
    Program Properties table. If a program entry is found with the any of the following excessive privileges, ensure that a match SCHEDxx entry exists for that program revoking these privileges:
    • Data set integrity bypass
    • Keys 0-7
    • Security bypass
  3. If a documented migration plan exists,
    your organization does not have an audit finding
    .
  4. If a documented migration plan does not exist,
    your organization has an audit finding
    . See Remediate Audit Finding.
Remediate Audit Finding
Only the ISSO verifies that a migration process is documented and followed for unsupported software.
Follow these steps:
  1. Ensure the ISSO creates a documented migration plan.
  2. Review your organization's documented migration plan to ensure procedures to monitor system software product versions and releases for end-of-life and non-support dates are included as well as steps to notify management to upgrade to supported versions. If product support is provided through an outside group or organization, verify that they have a process to notify your organization of unsupported software.
A documented migration plan ensures the integrity of your system controls.
Control Correlation Identifier (CCI)
A Control Correlation Identifier (CCI) list provides a standard identifier and description for each of the singular, actionable statements that comprise a control or best practice. The following CCIs are related to this STIG. For more information, see the National Institute of Standards and Technology website.
CCIs
: CCI-000409, CCI-001225
CCI
:
CCI-000409
Published Date
:
2009-09-18
Definition
:
The organization updates the inventory of information system components as an integral part of component removals.
Type
:
policy
References
:
NIST: NIST SP 800-53 (v3): CM-8 (1)
NIST: NIST SP 800-53 Revision 4 (v4): CM-8 (1)
NIST: NIST SP 800-53A (v1): CM-8 (1).1
CCI:
CCI-001225
Published Date:
2009-09-22
Definition:
The organization identifies information system flaws.
Type:
policy
References:
NIST:NIST SP 800-53 (v3): SI-2 a
NIST: NIST SP 800-53 Revision 4 (v4): SI-2 a
NIST: NIST SP 800-53A (v1): SI-2.1 (i)