RACF_ICHAUTAB_NONLPA
- Description:
- The RACF_ICHAUTAB_NONLPA check examines the RACF® Authorized Caller Table (ICHAUTAB) and reports if there are any non-LPA entries in it. The output format is similar to the report format for the ICHAUTAB Report in RACF_SENSITIVE_RESOURCES, with the exception that LPA-resident modules are not listed.
- Reason for check:
- IBM® recommends that installations have no entries in the ICHAUTAB table.
- z/OS® releases the check applies to:
- z/OS V1R10 and later.
- Type of check:
- Local
- Parameters accepted:
- No
- User override of IBM values:
- The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)] UPDATE CHECK(IBMRACF,RACF_ICHAUTAB_NONLPA) SEVERITY(MED) INTERVAL(24:00) DATE('date_of_the_change') REASON('Your reason for making the update.')
- Debug support:
- No
- Verbose support:
- No
- Reference:
- z/OS Security Server RACF System Programmer's Guide
- Messages:
- This check issues the following exception messages:
- IRRH240E
- SECLABEL recommended for MLS users:
- SYSLOW
Output: The following shows ICHAUTAB Non-LPA report:
- Successful case:
CHECK(IBMRACF,RACF_ICHAUTAB_NONLPA) START TIME: 03/14/2008 15:52:22.756461 CHECK DATE: 20070411CHECKSEVERITY: MEDIUM ICHAUTAB Non-LPA Report S Module REQUEST= REQUEST= Location VERIFY LIST - -------- -------- -------- -------- IRRH239I There are no ICHAUTAB programs on this system. END TIME: 03/14/2008 15:52:22.762403 STATUS: SUCCESSFUL
- Exception case:
START TIME: 11/13/2007 18:42:44.876179 CHECK DATE: 20070411CHECKSEVERITY: MEDIUM ICHAUTAB Non-LPA Report S Module REQUEST= REQUEST= Location VERIFY LIST - -------- -------- -------- -------- TRESPOND YES YES NON-LPA * MediumSEVERITY Exception * IRRH240E The RACF_ICHAUTAB_NONLPA check has found one or more non-LPA ICHAUTAB entries. non-LPA ICHAUTAB entries. IBM recommends that ICHAUTAB contain no entries. An entry in ICHAUTAB represents a program whose access should be controlled using PROGRAM CONTROL and restricted to a known set of trusted users or trusted started tasks. LPA-resident ICHAUTAB entries are listed in the RACF_SENSITIVE_RESOURCES check. System Action: The check continues processing. There is no effect on the system. Operator Response: None. System Programmer Response: If the modules in ICHAUTAB are no longer in use, they should be deleted from ICHAUTAB. If the modules are still in use and the privileges granted by ICHAUTAB are still required, the modules should be protected using PROGRAM CONTROL and their use should be restricted to a known set of trusted users or trusted started tasks. Problem Determination: Source: Reference Documentation: IBM Health Checker for z/OS: User's Guide z/OS Security Server RACF Security Administrator's Guide Automation: None. Check Reason: ICHAUTAB entries must be protected. END TIME: 11/13/2007 18:42:44.885582 STATUS: EXCEPTION-MED