How to find who can write to APF authorized libraries?

Document ID : KB000011238
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

APF-authorized programs and libraries

The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area. The system treats any module in the link pack area (pageable LPA, modified LPA, fixed LPA, or dynamic LPA) as though it come from an APF-authorized library. Ensure that you properly protect SYS1.LPALIB and any other library that contributes modules to the link pack area to avoid system security and integrity exposures, just as you protect any APF-authorized library.

Unauthorized programs can issue the CSVAPF macro to:
  • Determine whether or not a library is in the APF list
  • Determine the current format (dynamic or static) of the APF list
  • Obtain a list of all library entries in the APF list.

APF also prevents authorized programs (supervisor state, APF-authorized, PSW key 0-7, or PKM 0-7) from accessing a load module that is not in an APF-authorized library. The application development books for programmers who use authorized programs provide more information about APF authorization.

Question:

We have a request from the Audit department to supply a list of who can write to the APF authorized libraries. Is there a report that can do this?

Answer:

There is no simple report that will display the exact access as being a WRITE to the APF datasets. Some manual massaging of the data would be involved since any ACF2 reports would include READ access also. There are two possibilities. The first is the ACFRPTXR report. This report can be run from the ACF2 panels, or in batch. For example purposes, we will use SYS1.APFLIB as a library being reviewed.

//jobcard 
//STEP1    EXEC PGM=ACFRPTXR                         
//SYSPRINT DD SYSOUT=*                               
//SYSDSLST DD *                                      
//SYSUT1   DD UNIT=SYSDA,SPACE=(CYL,16),DCB=BUFNO=30 
//SYSUT2   DD UNIT=SYSDA,SPACE=(CYL,16),DCB=BUFNO=30 
//SYSIN    DD *                                      
  ACF2                                                 
  DSET                                                
  RRSUM                                                
  DSN(SYS1.APFLIB)                                                                         
/*                                                   
// 

Job output may look like this:

DATASET: SYS1.APFLIB                                  
STORED: 06/24/09-12:59 BY: SECADMIN                 
CONTROLS: %CHANGE DATA EXISTS  $MODE(ABORT)        
LOGONIDS THAT HAVE ACCESS WITHOUT RULES            
ACFBKUP(NC)  SECADMIN(SE)   
- VOL(ACF***) UID(*****QAT) READ(A) WRITE(A) EXEC(A) QATUSR1(U,RA) QATUSR2(U)

For more information on the ACFRPTXR report, please review the "Report and Utilities Guide".

The other option is the ACCESS subcommand. The subcommand can be run from ACF2 panels, using ACF mode, or running in ACFBATCH. Here is an example of ACFBATCH, which would be similar to using ACF mode.

//jobcard 
//STEP1    EXEC PGM=ACFBATCH    
//SYSPRINT DD SYSOUT=*                
//SYSIN    DD  *                
  ACCESS DSNAME(SYS1.APF) 
/*                       
//  

Resulting output would look similar to this:

ACCESS DSNAME(SYS1.APFLIB)                                       
ACCESS Subcommand Results For: SYS1.APFLIB                        
Key: SYS1                                                      
Ruleline: - VOL(ACF***) UID(*****QAT) READ(A) WRITE(A) EXEC(A) 
Lids: QATUSR1  QATUSR2  

For more information on the use of the ACCESS subcommand, please refer to the ACF2 Administrator Guide, Chapter 1.

As the output shows, no report lists definitive information on just a WRITE access. The parts that show READ, EXECUTE or ALLOCATE access will need to be removed before submitting to the company Audit department.

To determine the APF libraries that are on the system, the following operator command can be issued:

D PROG,APF 

The resulting output will list the libraries starting like this:

13:45:42.69 INTERNAL 00000094  CSV450I 13.45.42 PROG,APF DISPLAY 023     
                 023 00000094  FORMAT=DYNAMIC                            
                 023 00000094  ENTRY VOLUME DSNAME                       
                 023 00000094        1  SYS001 SYS1.LINKLIB                 
                 023 00000094        2  SYS001 SYS1.SVCLIB     

and will continue listing all the APF libraries on the system.