When a check detects a system condition or setting that runs counter
to the values that the check is looking for, the check should issue
an exception message to report the exception. For an exception message,
the system displays both the message text and the entire message explanation
in the message buffer. The message should include a detailed explanation
of the error and the appropriate action that the installation
should take to resolve the condition. If you are writing a check that
checks for a setting that conflicts with the default for the setting,
you should include in your check output information about why the
check user is getting an exception message for a default setting.
Along with an exception message, IBM Health Checker for z/OS will issue
a line showing the severity and the return code for the check. The
check will continue to run at the defined intervals, reporting the
exception each time until the exception condition is resolved.
The following example shows an exception message issued to the
message buffer:
CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES)
START TIME: 05/25/2005 09:42:56.690844
CHECK DATE: 20040703 CHECK SEVERITY: HIGH
* High Severity Exception *
IRRH204E The RACF_SENSITIVE_RESOURCES check has found one or
more potential errors in the security controls on this system.
Explanation: The RACF security configuration check has found one or
more potential errors with the system protection mechanisms.
System Action: The check continues processing. There is no effect on
the system.
Operator Response: Report this problem to the system security
administrator and the system auditor.
System Programmer Response: Examine the report that was produced by
the RACF check. Any data set which has an "E" in the "S" (Status)
column has excessive authority allowed to the data set. That
authority may come from a universal access (UACC) or ID(*) access
list entry which is too permissive, or if the profile is in WARNING
mode. If there is no profile, then PROTECTALL(FAIL) is not in
effect. Any data set which has a "V" in the "S" (Status) field is
not on the indicated volume. Remove these data sets from the list
or allocate the data sets on the volume.
Asterisks ("****") in the UACC, WARN, and ID(*) columns indicate
that there is no RACF profile protecting the data set. Data sets
which do not have a RACF profile are flagged as exceptions, unless
SETROPTS PROTECTALL(FAIL) is in effect for the system.
If a valid user ID was specified as a parameter to the check, that
user's authority to the data set is checked. If the user has an
excessive authority to the data set, that is indicated in the USER
column. For example, if the user has ALTER authority to an
APF-authorized data set, the USER column contains "<Read" to
indicate that the user has more than READ authority to the data set.
Problem Determination: See the RACF System Programmer's Guide and
the RACF Auditor's Guide for information on the proper controls for
your system.
Source:
RACF System Programmer's Guide
RACF Auditor's Guide
Reference Documentation:
RACF System Programmer's Guide
RACF Auditor's Guide
Automation: None.
Check Reason: Sensitive resources should be protected.
END TIME: 05/25/2005 09:43:13.717882 STATUS: EXCEPTION-HIGH
APF-authorized data set, the USER column contains "
The
Check Reason: field
display the default reason in an exception message without installation
parameter overrides.
See "Issuing a REXX check exception message" for an example of
how to issue an exception message from a REXX check.
Example - Issuing a DIRECTMSG message for a REXX check: For a check
that has no message table associated with it, you can issue a check
message directly from the check routine, as shown in the example below.
REXX sample check SYS1.SAMPLIB(HZSSXCHN) also shows DIRECTMSG calls.
/* Set up exception message input for HZSLFMSG */
/* Required input variables: */
HZSLFMSG_REQUEST='DIRECTMSG'
HZSLFMSG_REASON='CHECKEXCEPTION'
HZSLFMSG_DIRECTMSG_ID='UTHH003E'
HZSLFMSG_DIRECTMSG_TEXT='Brief exception summary'
/* Optional input variables: */
HZSLFMSG_DIRECTMSG.EXPL='The exception explanation for UTHR003E'
HZSLFMSG_DIRECTMSG.AUTOMATION='Automation text for UTHR003E'
HZSLFMSG_DIRECTMSG.SOURCE='Source text for UTHR003E'
/* Call HZSLFMSG */
HZSLFMSG_RC = HZSLFMSG()
/* Set up report message input for HZSLFMSG */
HZSLFMSG_REQUEST='DIRECTMSG'
HZSLFMSG_REASON='CHECKREPORT'
HZSLFMSG_DIRECTMSG_TEXT='Single line report message'
/* Call HZSLFMSG */
HZSLFMSG_RC = HZSLFMSG()