- Description:
- The RACF_ICHAUTAB_NONLPA check examines the RACF® Authorized Caller Table (ICHAUTAB) and
reports if there are any non-LPA entries in it. The output format
is similar to the report format for the ICHAUTAB Report in RACF_SENSITIVE_RESOURCES,
with the exception that LPA-resident modules are not listed.
- Reason for check:
- IBM® recommends that installations
have no entries in the ICHAUTAB table.
- z/OS® releases the check
applies to:
- z/OS V1R10 and later.
- Type of check:
- Local
- Parameters accepted:
- No
- User override of IBM values:
- The following shows the default keywords for the check, which
you can override on either a POLICY statement in the HZSPRMxx parmlib
member or on a MODIFY command. This statement may be copied and modified
to override the check defaults:
UPDATE
CHECK(IBMRACF,RACF_ICHAUTAB_NONLPA)
SEVERITY(MED) INTERVAL(24:00) DATE('date_of_the_change')
REASON('Your reason for making the update.')
- Debug support:
- No
- Verbose support:
- No
- Reference:
- z/OS Security Server RACF System Programmer's Guide
- Messages:
- This check issues the following exception messages:
See z/OS Security Server RACF Messages and Codes.
- SECLABEL recommended for MLS users:
- SYSLOW
Output: The following shows ICHAUTAB Non-LPA report:
- Successful case:
CHECK(IBMRACF,RACF_ICHAUTAB_NONLPA)
START TIME: 03/14/2008 15:52:22.756461
CHECK DATE: 20070411 CHECK SEVERITY: MEDIUM
ICHAUTAB Non-LPA Report
S Module REQUEST= REQUEST= Location
VERIFY LIST
- -------- -------- -------- --------
IRRH239I There are no ICHAUTAB programs on this system.
END TIME: 03/14/2008 15:52:22.762403 STATUS: SUCCESSFUL
- Exception case:
START TIME: 11/13/2007 18:42:44.876179
CHECK DATE: 20070411 CHECK SEVERITY: MEDIUM
ICHAUTAB Non-LPA Report
S Module REQUEST= REQUEST= Location
VERIFY LIST
- -------- -------- -------- --------
TRESPOND YES YES NON-LPA
* Medium Severity Exception *
IRRH240E The RACF_ICHAUTAB_NONLPA check has found
one or more non-LPA ICHAUTAB entries.
non-LPA ICHAUTAB entries. IBM recommends that ICHAUTAB contain no
entries. An entry in ICHAUTAB represents a program whose access
should be controlled using PROGRAM CONTROL and restricted to a known
set of trusted users or trusted started tasks.
LPA-resident ICHAUTAB entries are listed in the
RACF_SENSITIVE_RESOURCES check.
System Action: The check continues processing. There is no effect on
the system.
Operator Response: None.
System Programmer Response: If the modules in ICHAUTAB are no longer
in use, they should be deleted from ICHAUTAB. If the modules are
still in use and the privileges granted by ICHAUTAB are still
required, the modules should be protected using PROGRAM CONTROL and
their use should be restricted to a known set of trusted users or
trusted started tasks.
Problem Determination:
Source:
Reference Documentation:
IBM Health Checker for z/OS: User's Guide
z/OS Security Server RACF Security Administrator's Guide
Automation: None.
Check Reason: ICHAUTAB entries must be protected.
END TIME: 11/13/2007 18:42:44.885582 STATUS: EXCEPTION-MED