SMF$XT50 - Audit LPA-, LNK- and or APF listed datasets

Critical MVS Libraries

  • APF libraries - Identified in SYS1.PARMLIB (IEASYSxx)-- see IEAAPFxx option

  • Link List libraries - Identified in SYS1.PARMLIB (IEASYSxx)-- see LNKLSTxx option

  • LPA List libraries - Identified in SYS1.PARMLIB (IEASYSxx)-- see LPALSTxx option

The members in certain system libraries are given the ability to bypass security in order to accomplish operating software functions. These three libraries, the APF libraries, the Link List libraries and the LPA List libraries create a possible security exposure because of this level of authority. In order to verify that the installation is using these libraries for only required purposes run SMF$XT50 on a daily basis.

SMF$XT50 is a batch tool which is used to monitor the access to the privileged file definitions e.g. APF, LNK and LPA list. By default all accesses with "INTENT=UPDATE" against APF, LNK and LPA system definitions will be listed. Optionally other INTENTS against these files can be listed too.

A user can as well specify a SMF logger file instead of SYS1.MANx or any other archived SMF file.

//          DISP=(,PASS),
//          DCB=(RECFM=VBS,LRECL=32760,BLKSIZE=6240),
//          UNIT=SYSDA,SPACE=(TRK,(1,1))
//SYSIN     DD    *

Access list based on SMF records:

APF list:

LPA list:

LINK list: