RACF_IBMUSER_REVOKED
Description: Check looks to see if the IBMUSER user ID is still active.
- Reason for check:
- The IBMUSER user ID is intended for use only during the initial installation process. After installation, the IBMUSER user ID should be revoked so that it cannot be used by unauthorized users.
- z/OS® releases the check applies to:
- z/OS V1R5 and later.
- Parameters accepted:
- No.
- User override of IBM values:
- The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)] UPDATE CHECK(IBMRACF,RACF_IBMUSER_REVOKED), SEVERITY(MED),INTERVAL(24:00),DATE('date_of_the_change') REASON('Your reason for making the update.')
- Debug support:
- Yes, the check provides additional error detail in debug mode.
You can put a check into debug mode using any of the following:
- UPDATE,filters,DEBUG=ON parameters on either the MODIFY command or in a POLICY statement in an HZSPRMxx parmlib member
- Overwrite the OFF value with the ON value in the DEBUG column of the CK panel in SDSF.
- Verbose support:
- No.
- Reference:
- For more information on storage increments, see z/OS Security Server RACF Security Administrator's Guide .
- Messages:
- This check issues the following exception messages:
- IRRH225E
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Output:
RACF_IBMUSER_REVOKED check - IBMUSER not revoked exception
found:
CHECK(IBMRACF,RACF_IBMUSER_REVOKED)
START TIME: 12/02/2005 16:43:31.614417
CHECK DATE: 20050820 CHECK SEVERITY: MEDIUM
* Medium Severity Exception *
IRRH225E The user ID IBMUSER is not revoked.
Explanation: The user ID IBMUSER has not been revoked. IBM recommends
revoking IBMUSER.
System Action: The check continues processing. There is no effect on
the system.
Operator Response: Report this problem to the system security
administrator and the system auditor.
System Programmer Response: Revoke IBMUSER.
Problem Determination: See the RACF Auditor's Guide and the RACF
System Programmer's Guide.
Source:
RACF System Programmer's Guide
RACF Auditor's Guide
Reference Documentation:
RACF System Programmer's Guide
RACF Auditor's Guide
Automation: None.
Check Reason: IBMUSER should be revoked.
END TIME: 12/02/2005 16:43:31.653215 STATUS: EXCEPTION-MED
RACF_IBMUSER_REVOKED check - no exceptions found, IBMUSER has
been revoked:
1CHECK(IBMRACF,RACF_IBMUSER_REVOKED)
START TIME: 03/02/2006 14:50:57.307193
CHECK DATE: 20051111 CHECK SEVERITY: MEDIUM
IRRH224I The user ID IBMUSER is revoked.
END TIME: 03/02/2006 14:50:57.315063 STATUS: SUCCESSFUL