IBM Health Checker for z/OS User's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Reporting check exceptions

IBM Health Checker for z/OS User's Guide
SC23-6843-02

When a check detects a system condition or setting that runs counter to the values that the check is looking for, the check should issue an exception message to report the exception. For an exception message, the system displays both the message text and the entire message explanation in the message buffer. The message should include a detailed explanation of the error and the appropriate action that the installation should take to resolve the condition. If you are writing a check that checks for a setting that conflicts with the default for the setting, you should include in your check output information about why the check user is getting an exception message for a default setting.

Along with an exception message, IBM Health Checker for z/OS will issue a line showing the severity and the return code for the check. The check will continue to run at the defined intervals, reporting the exception each time until the exception condition is resolved.

The following example shows an exception message issued to the message buffer:
CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES)    
START TIME: 05/25/2005 09:42:56.690844     
CHECK DATE: 20040703  CHECK SEVERITY: HIGH 

* High Severity Exception *                                             
                                                                        
IRRH204E The RACF_SENSITIVE_RESOURCES check has found one or            
more potential errors in the security controls on this system.          
                                                                        
  Explanation:  The RACF security configuration check has found one or  
    more potential errors with the system protection mechanisms.        
                                                                        
  System Action:  The check continues processing. There is no effect on 
    the system.                                                         
                                                                        
  Operator Response:  Report this problem to the system security        
    administrator and the system auditor.                               
                                                                        
  System Programmer Response:  Examine the report that was produced by  
    the RACF check. Any data set which has an "E" in the "S" (Status)   
    column has excessive authority allowed to the data set. That        
    authority may come from a universal access (UACC) or ID(*) access   
    list entry which is too permissive, or if the profile is in WARNING 
    mode. If there is no profile, then PROTECTALL(FAIL) is not in       
    effect. Any data set which has a "V" in the "S" (Status) field is   
    not on the indicated volume. Remove these data sets from the list   
    or allocate the data sets on the volume.                            
                                                                        
    Asterisks ("****") in the UACC, WARN, and ID(*) columns indicate    
    that there is no RACF profile protecting the data set. Data sets    
    which do not have a RACF profile are flagged as exceptions, unless  
    SETROPTS PROTECTALL(FAIL) is in effect for the system.              
                                                                        
    If a valid user ID was specified as a parameter to the check, that  
    user's authority to the data set is checked. If the user has an     
    excessive authority to the data set, that is indicated in the USER  
    column. For example, if the user has ALTER authority to an          
    APF-authorized data set, the USER column contains "<Read" to        
    indicate that the user has more than READ authority to the data set.

  Problem Determination:  See the RACF System Programmer's Guide and    
    the RACF Auditor's Guide for information on the proper controls for 
    your system.                                                        
                                                                        
  Source:                                                               
    RACF System Programmer's Guide                                      
    RACF Auditor's Guide                                                
                                                                        
  Reference Documentation:                                              
    RACF System Programmer's Guide                                      
    RACF Auditor's Guide                                                
                                                                        
  Automation:  None.                                                    
                                                                        
  Check Reason:  Sensitive resources should be protected.               
                                                                        
END TIME: 05/25/2005 09:43:13.717882  STATUS: EXCEPTION-HIGH            
    APF-authorized data set, the USER column contains "
The Check Reason: field display the default reason in an exception message without installation parameter overrides.

See "Issuing a REXX check exception message" for an example of how to issue an exception message from a REXX check.

Example - Issuing a DIRECTMSG message for a REXX check: For a check that has no message table associated with it, you can issue a check message directly from the check routine, as shown in the example below. REXX sample check SYS1.SAMPLIB(HZSSXCHN) also shows DIRECTMSG calls.
     /* Set up exception message input for HZSLFMSG */
     /* Required input variables: */
     HZSLFMSG_REQUEST='DIRECTMSG'
     HZSLFMSG_REASON='CHECKEXCEPTION'
     HZSLFMSG_DIRECTMSG_ID='UTHH003E'
     HZSLFMSG_DIRECTMSG_TEXT='Brief exception summary'
     /* Optional input variables: */
     HZSLFMSG_DIRECTMSG.EXPL='The exception explanation for UTHR003E'
     HZSLFMSG_DIRECTMSG.AUTOMATION='Automation text for UTHR003E'
     HZSLFMSG_DIRECTMSG.SOURCE='Source text for UTHR003E'
     /* Call HZSLFMSG */
     HZSLFMSG_RC = HZSLFMSG()

     /* Set up report message input for HZSLFMSG */
     HZSLFMSG_REQUEST='DIRECTMSG'
     HZSLFMSG_REASON='CHECKREPORT'
     HZSLFMSG_DIRECTMSG_TEXT='Single line report message'
     /* Call HZSLFMSG */
     HZSLFMSG_RC = HZSLFMSG()
Parent topic: Issuing messages in your local check routine with the HZSFMSG macro
Parent topic: Issuing messages in your remote check routine with the HZSFMSG macro
Parent topic: Issuing messages from your REXX check with the HZSLFMSG function

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014