How to find who can write to APF authorized libraries?
Article ID: 11238
Updated On:
Products
Issue/Introduction
APF-authorized programs and libraries
The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area. The system treats any module in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) as though it come from an APF-authorized library. Ensure that you properly protect SYS1.LPALIB and any other library that contributes modules to the link pack area to avoid system security and integrity exposures, just as you protect any APF-authorized library.
- Determine whether or not a library is in the APF list
- Determine the current format (dynamic or static) of the APF list
- Obtain a list of all library entries in the APF list.
APF also prevents authorized programs (supervisor state, APF-authorized, PSW key 0-7, or PKM 0-7) from accessing a load module that is not in an APF-authorized library. The application development books for programmers who use authorized programs provide more information about APF authorization.
We have a request from the Audit department to supply a list of who can write to the APF authorized libraries. Is there a report that can do this?
Environment
Component: ACF2MS
Resolution
There is no simple report that will display the exact access as being a WRITE to the APF datasets. Some manual massaging of the data would be involved since any ACF2 reports would include READ access also. There are two possibilities. The first is the ACFRPTXR report. This report can be run from the ACF2 panels, or in batch. For example purposes, we will use SYS1.APFLIB as a library being reviewed.
//jobcard
//STEP1 EXEC PGM=ACFRPTXR
//SYSPRINT DD SYSOUT=*
//SYSDSLST DD *
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,16),DCB=BUFNO=30
//SYSUT2 DD UNIT=SYSDA,SPACE=(CYL,16),DCB=BUFNO=30
//SYSIN DD *
ACF2
DSET
RRSUM
DSN(SYS1.APFLIB)
/*
//
Job output may look like this:
DATASET: SYS1.APFLIB
STORED: 06/24/09-12:59 BY: SECADMIN
CONTROLS: %CHANGE DATA EXISTS $MODE(ABORT)
LOGONIDS THAT HAVE ACCESS WITHOUT RULES
ACFBKUP(NC) SECADMIN(SE)
- VOL(ACF***) UID(*****QAT) READ(A) WRITE(A) EXEC(A)
QATUSR1(U,RA) QATUSR2(U)
For more information on the ACFRPTXR report, please review the "Report and Utilities Guide".
The other option is the ACCESS subcommand. The subcommand can be run from ACF2 panels, using ACF mode, or running in ACFBATCH. Here is an example of ACFBATCH, which would be similar to using ACF mode.
//jobcard
//STEP1 EXEC PGM=ACFBATCH
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
ACCESS DSNAME(SYS1.APF)
/*
//
Resulting output would look similar to this:
ACCESS DSNAME(SYS1.APFLIB)
ACCESS Subcommand Results For: SYS1.APFLIB
Key: SYS1
Ruleline: - VOL(ACF***) UID(*****QAT) READ(A) WRITE(A) EXEC(A)
Lids: QATUSR1 QATUSR2
For more information on the use of the ACCESS subcommand, please refer to the ACF2 Administrator Guide, Chapter 1.
As the output shows, no report lists definitive information on just a WRITE access. The parts that show READ, EXECUTE or ALLOCATE access will need to be removed before submitting to the company Audit department.
To determine the APF libraries that are on the system, the following operator command can be issued:
D PROG,APF
The resulting output will list the libraries starting like this:
13:45:42.69 INTERNAL 00000094 CSV450I 13.45.42 PROG,APF DISPLAY 023
023 00000094 FORMAT=DYNAMIC
023 00000094 ENTRY VOLUME DSNAME
023 00000094 1 SYS001 SYS1.LINKLIB
023 00000094 2 SYS001 SYS1.SVCLIB
and will continue listing all the APF libraries on the system.
Feedback
