Write your own RACF resource checks!
You can create your own RACF® installation-defined
resource checks to see if your resources have the security characteristics
you want. Do the following for each check you wish to create:
- Define a RACF profile containing
a list of the resources you want your RACF installation-defined
resource check to look at, along with the maximum allowable general
user access you want for each resource.
The check raises an exception if the profile which covers the resource allows more than the specified access or there is no profile covering the resource and default return code from the class is not 8. If you would like to prevent the exception, define a profile which allows less access than indicated in the installation-defined check. You can use a generic profile.
The format of each member list entry in the profile is as follows:
className/resourceName/volume/maxUacc- className
- The class of the resource which is to be checked. Valid values
are DATASET and any RACF general
resource class which is defined on the system.
Note that if the general resource class is a member/grouping class, the class must already be RACLISTed.
- resourceName
- The name of the resource which is to be checked.
- volume
- If the className is DATASET then this is volume
upon which the data set resides. This parameter is optional. If it
is not specified, then the catalog is searched to find the volume
serial for the dataset.
If the className is not DATASET, do not specify a volume. If you specify a volume for a className other than DATASET, you will receive an error message.
- maxUacc
- The maximum allowed general user access to the resource.
RDEFINE RACFHC MY_RESOURCE_LIST ADDMEM(DATASET/PROD.VALUABLE.DATA/ZDR17B/NONE DATASET/SEC.FILING.FORMS//NONE DATASET/PUBLIC.REPORTS/REGVOL/READ RACFHC/MY_RESOURCE_LIST//NONE)ADDMEM member list entry considerations:Special values you can use in ADDMEM: To make defining your profile easier, you can also use the following special values in ADDMEM:- You can specify any number of resource names up to the maximum amount of data which can be placed into the member list portion of a profile using the ADDMEM operand.
- Only the following types of data sets are allowed to be specified as resources: Sequential, partitioned, library, or VSAM data sets.
If you specify one of these special ADDMEM values, you cannot specify any other value, such as className, resourceName, volume, or maxUacc on that entry.Value Description IRR_APFLIST Examines all of the entries in the current APF list. IRR_LINKLIST Examines all of the entries in the current link list IRR_PARMLIB Examines all of the entries in the current PARMLIB IRR_RACFDB Examines the current primary and backup RACF databases IRR_SYSREXX Examines all of the SYSREXX data sets IRR_ICHAUTAB Examines the entries in ICHAUTAB Note that the system does not validate the content of your profile when you add or alter it. The system verifies the profile only when the check runs. The system processes ADDMEM values in the following order:- The syntax of the entire member list is validated
- The reports are processed.
- The individual resource names are processed
Basic parameter errors: The system validates the following- If the required RESOURCELIST keyword has not been specified, the system issues message HZS1201E.
- If the RESOURCELIST value is greater than 128 characters, the system issues message HZS1213E.
- If the RESOURCELIST value has not been specified, then the system issues message HZS1201E.
- If the USER value is greater than 8 characters, the system issues message HZS1213E.
- If the USER value has not been specified, then the system issues message HZS1201E.
The profile specified as the RESOURCELIST does not exist: If the profile does not exist or cannot be retrieved, the system issues messages IRRH232I and HZS1001E and the check is placed in the “parameter error” state. The check will not run until the installation corrects the situation by defining the profile or modifying the value specified in the PARM statement on the check on the check registration to point to a properly defined profile and the reactivating the check.
The profile exists, but the profile does not have any ADDMEM value: If there is no member list, the system issues message IRRH233I and HZS1001E and the check is placed into “parameter error” state. The check will not run until the installation corrects the situation by adding a correct member list or modifying the value specified in the PARM statement on the check on the check registration to point to a properly defined profile and the reactivating the check.
The profile exists with ADDMEM values, but there is an error in the ADDMEM member list entry, such as :- The specified class does not exist.
- The length of the resource name does not match the maximum value allowed for the class
- A volume serial was specified for a class other than data set
- The volume serial value is greater than six (6) characters
- The maximum “general user” access level a value other than “NONE”, “READ”, “UPDATE”, “ALTER”, or “CONTROL”
- Choose a name for your RACF installation-defined
resource check, and using this name, define the check to IBM® Health Checker for z/OS® in an HZSPRMxx parmlib member. The following
shows an example of registering a RACF installation-defined
resource check in HZSPRMxx:
ADD CHECK(USER01,MY_INSTALLATION_HEALTH_CHECK) CHECKROUTINE(IRRHCR00) MESSAGETABLE(IRRHCM00) ENTRYCODE(100) PARM('USER(USER01) RESOURCELIST(MY_RESOURCE_LIST)') DATE('date_of_the_change') REASON('Your reason for making the update.') GLOBAL ACTIVE SEVERITY(HIGH) INTERVAL(08:00)
- Reason for check:
- Installation defined.
- z/OS releases the check applies to:
- z/OS V1R10 and later.
- Parameters accepted:
- Yes, the following parameters are accepted for an RACF installation-defined resource check:
- PARM('USER(userid)')
- Optional parameter specifies an individual user ID whose the authority to the resources listed in the profile the check will examine.
- PARM('RESOURCELIST(resourcelist_profile)')
- Required parameter specifies the resource list profile name defined for this check. The check then examines the authority levels for the resources listed in the profile named in this parameter.
PARM('USER(USER01) RESOURCELIST(MY_RESOURCE_LIST)') - User override of IBM values:
- There are no IBM default values for a RACF installation-defined resource check. You can override the check values you defined with either a POLICY statement in the HZSPRMxx parmlib member or on a MODIFY command.
- Debug support:
- Yes
- Verbose support:
- No
- Reference:
- For more information on storage increments, see z/OS Security Server RACF System Programmer's Guide.
- Messages:
- This check issues the following exception messages:
- IRRH237E
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Output: The following shows output from a RACF installation-defined resource check:
CHECK(USER01,MY_INSTALLATION_HEALTH_CHECK)
START TIME: 01/10/2008 14:35:34.674057
CHECK DATE: 20070425 CHECK SEVERITY: HIGH
CHECK PARM: USER(USER01) RESOURCELIST(MY_RESOURCE_LIST)
Resource List from MY_RESOURCE_LIST
S Resource Name Class Vol UACC Warn ID* User
- -------------------------------- -------- ------ ---- ---- ---- ----
V PROD.VALUABLE.DATA DATASET ZDR17B
V SEC.FILING.FORMS DATASET
V PUBLIC.REPORTS DATASET REGVOL
MY_RESOURCE_LIST RACFHC None No ****
* High Severity Exception *
IRRH237E The MY_INSTALLATION_HEALTH_CHECK check has found
one or more potential errors in the
security controls for the installation-defined
resources specified in this check.
Explanation: The RACF security configuration check has found one or
more potential errors with the protection mechanisms for the
resources specified for this check.
System Action: The check continues processing. There is no effect on
the system.
Operator Response: Report this problem to the system security
administrator and the system auditor.
...
...
...
Check Reason: My sensitive resources
END TIME: 01/10/2008 14:35:34.701104 STATUS: EXCEPTION-HIGH