|
|
|
Proper control of the Authorized Program Facility (APF) is essential for z/OS integrity. APF‑authorized programs can circumvent all security mechanisms of the operating system including access control software such as CA ACF2, CA Top Secret, and RACF.
Use the APF‑Authorized Libraries display (2.2) to review this information.
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
Use the APF Library Statistics Summary display (2.2.1) to obtain a listing of the libraries. Prepare a work paper that details the purpose, use, and function of each library based on documentation supplied by Technical Support. |
|
|
|
|
2 |
From the APF Library Statistics Summary display (2.2.1) or information from your access control software, note which user IDs and groups can access APF libraries. Determine whether access was given on a need‑to‑know basis. Ensure that no one has standing update authority to these libraries. |
|
|
|
|
2 |
From the same display, determine if any integrity exposures were created by libraries that are missing from their designated volumes. This situation can permit substitution of a “Trojan horse” library in place of the missing one. |
|
|
|
|
4 |
From the APF Library Statistics display, determine if all libraries found were accessible. Investigate any discrepancies (such as an offline pack) carefully. |
|
|
|
|
5 |
From the APF Library Statistics display, record both the number of programs in each library and the number marked as job step APF‑eligible. Determine that adequate documentation exists for changes noted from the last review. If you found APF‑authorized production programs in Step 5, go to Step 7. |
|
|
|
|
6 |
System link list libraries can be specified as non‑APF‑authorized. Therefore, no application or production library names should appear in the APF Library Statistics display (2.2.1). |
|
|
|
|
7 |
Determine from the APF Library Statistics display that no production program libraries actually contain programs marked as job step eligible. Use the Program Statistics (5.2), Program Origin (5.1), or Product Identity (2.3.4) display to get detailed information about any such programs you find. Investigate their purpose, use, and function. |
|
|
|
|
8 |
z/OS consider all programs of all APF libraries to be equally authorized and does not recognize obsolete, back‑level, bogus, or duplicate versions of modules. Evaluate the effectiveness of the data center’s change control procedures by using the Find Duplicate APF Programs Display (2.2.2) to identify duplicate modules. |
|
|
|
|
9 |
Using the Find Duplicate APF Programs display, be particularly sensitive to programs that have the same name but very different sizes. Use the Program Statistics (5.2) and Program Origin (5.1) displays to investigate suspected “Trojan horse” programs. |
|
|
|
|
10 |
Use the TSO Information Summary display (2.2.3) to determine if adequate documentation is available that defines the purpose, use, and function of any APF‑authorized commands or programs available to TSO users. Determine if the use of these commands and programs is adequately controlled on a need‑to‑know basis. |
|
|
|
|
11 |
Use the HFS Analysis display (2.2.4) to collect information about HFS-resident programs having the APF extended attribute set. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |