CSVDYLPA Service, by Default, Sets AC(1) when a Module is Added to LPA

Document ID : KB000047250
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

The client had a system vulnerability audit performed, which listed an exposure in EBC module EBCS22EP (load module EBCSVR22) as "Least Privilege 1 (LP1)".

 

Environment:

CA View 12.2

 

Resolution:

At a pre-z/OS 2.1 level, the CSVDYLPA service (at default) sets AC(1) when adding a module to LPA.        

The CSVDYLPA macro at pre-z/OS 2.1 levels does not have the capability of setting AC=0, and marks all modules as AC=1. 

 

With the below 12.2 PTFs, CA SVC routines are marked as AC=0 with the CSVDYLPA macro, if the operating system is at z/OS 2.1 or higher: 

 

. RO86218      CA View 12.2

. RO82096      CA Deliver 12.2

. RO82095      EBC 12.2 (View and Deliver)

 

The RO82096 fix was specifically created to resolve issues with software that audits vulnerability of a system.

The setting of AC=1 may show an audit violation at pre-z/OS 2.1 levels. 

At z/OS level 2.1, the audit violation should be satisfied.

If the operating system level is z/OS 2.1 (or higher), RO82096 should be applied.