The following shows an example of a complete check exception message
formatted as it would be in the message buffer.
The
suffix of E indicates it's an exception message, and that the reported
situation will require action.CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES)
START TIME: 05/25/2005 09:42:56.690844
CHECK DATE: 20040703 CHECK SEVERITY: HIGH
* High Severity Exception *
IRRH204E The RACF_SENSITIVE_RESOURCES check has found one or
more potential errors in the security controls on this system.
Explanation: The RACF security configuration check has found one or
more potential errors with the system protection mechanisms.
System Action: The check continues processing. There is no effect on
the system.
Operator Response: Report this problem to the system security
administrator and the system auditor.
System Programmer Response: Examine the report that was produced by
the RACF check. Any data set which has an "E" in the "S" (Status)
column has excessive authority allowed to the data set. That
authority may come from a universal access (UACC) or ID(*) access
list entry which is too permissive, or if the profile is in WARNING
mode. If there is no profile, then PROTECTALL(FAIL) is not in
effect. Any data set which has a "V" in the "S" (Status) field is
not on the indicated volume. Remove these data sets from the list
or allocate the data sets on the volume.
Asterisks ("****") in the UACC, WARN, and ID(*) columns indicate
that there is no RACF profile protecting the data set. Data sets
which do not have a RACF profile are flagged as exceptions, unless
SETROPTS PROTECTALL(FAIL) is in effect for the system.
If a valid user ID was specified as a parameter to the check, that
user's authority to the data set is checked. If the user has an
excessive authority to the data set, that is indicated in the USER
column. For example, if the user has ALTER authority to an
APF-authorized data set, the USER column contains "<Read" to
indicate that the user has more than READ authority to the data set.
Problem Determination: See the RACF System Programmer's Guide and
the RACF Auditor's Guide for information on the proper controls for
your system.
Source:
RACF System Programmer's Guide
RACF Auditor's Guide
Reference Documentation:
RACF System Programmer's Guide
RACF Auditor's Guide
Automation: None.
Check Reason: Sensitive resources should be protected.
END TIME: 05/25/2005 09:43:13.717882 STATUS: EXCEPTION-HIGH
Note that fields such as
START
TIME:,
CHECK DATE:,
Check
Reason: and
END TIME: are not
part of the message input specified by the check developer. The system
issues these automatically, as appropriate. See
Extra fields issued to the message buffer for exception messages for
more information.
You must code your message input with tags. The following example
shows how the example message, IRRH204E, looks coded in the tag format.
This example also shows the use of a symbol,
&hzsckname;,
for the check name - see
Using pre-defined system symbols for more
information.
<msglist xreftext="csectname" rules="1">
<msg class="Exception">
<msgnum xreftext="204">IRRH204E</msgnum>
<msgtext>
The &hzsckname; check has found one or
<lines>
more potential errors in the security controls on this system.
</lines>
</msgtext>
<msgitem class="explanation"><p>
The RACF security configuration check has found one or more
potential errors with the system protection mechanisms.
</p></msgitem>
<msgitem class="sysact"><p>
The check continues processing. There is no effect on the system.
</p></msgitem>
<msgitem class="oresp"><p>
Report this problem to the system security administrator and the
system auditor.
</p></msgitem>
<msgitem class="spresp"><p>
Examine the report that was produced by the RACF check. Any data
set which has an "E" in the "S" (Status) column has excessive authority
allowed to the data set. That authority may come from a universal access
(UACC) or ID(*) access list entry which is too permissive, or if the
profile is in WARNING mode. If there is no profile, then
PROTECTALL(FAIL) is not in effect.
Any data set which has a "V" in the "S" (Status) field is not on
the indicated volume. Remove these data sets from the list or allocate
the data sets on the volume.
</p>
<p>Asterisks ("****") in the UACC, WARN, and ID(*) columns indicate that
there is no RACF profile protecting the data set. Data sets which
do not have a RACF profile are flagged as exceptions, unless
SETROPTS PROTECTALL(FAIL) is in effect for the system.
</p>
<p>If a valid user ID was specified as a parameter to the check, that
user's authority to the data set is checked. If the user has an
excessive authority to the data set, that is indicated in the USER
column. For example, if the user has ALTER authority to an
APF-authorized data set, the USER column contains
"<Read" to indicate
that the user has more than READ authority to the data set.
</p></msgitem>
<msgitem class="probd"><p>
See the RACF System Programmer's Guide and the RACF Auditor's
Guide for information on the proper controls for your system.
</p></msgitem>
<msgitem class="source"><p>
<lines>
RACF System Programmer's Guide
RACF Auditor's Guide
</lines>
</p></msgitem>
<msgitem class="refdoc"><p>
<lines>
RACF System Programmer's Guide
RACF Auditor's Guide
</lines>
</p></msgitem>
<msgitem class="automation"><p>
None.
</p></msgitem>
<msgitem class="module"><p>
IRRHCR00
</p></msgitem>
<msgitem class="rcode"><p>
</p></msgitem>
<msgitem class="dcode"><p>
</p></msgitem>
</msg>
.
.
.
</msglist>
Note that tags <msgitem class="rcode"> and <msgitem class="dcode">
are coded in the message table, but are not displayed in the message
buffer.