RACF_SENSITIVE_RESOURCES

Description: The RACF_SENSITIVE_RESOURCES check examines the security characteristics of several system-critical data sets and general resources other than data sets. The output of this check is a list of exceptions flagged.

For each of these, the check examines:
  • For system-critical data sets, that the data set exists on the expected volume. If the data set does not exist on the volume, a V (volume exception) is placed in the Status (S) column.
  • That the resource has baseline protection. For example, APF data sets can have a general access as high as READ, while the data sets which comprise the RACF® data base must have a general access of NONE.
The check verifies the protection of each resource by extracting its covering profile in its Class and examining the UACC, WARNING status, and the ID(*) entry in the access list if one exists. This extract does not take into account things like a GLOBAL profile or alterations by an exit. In addition, if there is no covering profile protecting a data set, then if NOPROTECTALL or PROTECTALL(WARN) is in effect, the check flags the data set as an exception. The customer can optionally specify a user ID to the check which, if specified, is used to perform a RACF authorization check for the next higher access authority after the highest expected general access authority.
Some resources are “discrete resources”, that is, the resource name is a predictable value and contains no variables. Others are “sensitive” resource names, which contain a variable value, often in the form of a data set name or module name shown in lower case italics. Both types are shown in Table 1.
Table 1. Discrete and “Sensitive” General Resources for RACF_SENSITIVE_RESOURCES
Class Resource Maximum Public Access
FACILITY BPX.FILEATTR.SHARELIB NONE
FACILITY BPX.JOBNAME NONE
FACILITY BPX.POE NONE
FACILITY BPX.SMF NONE
FACILITY BPX.STOR.SWAP NONE
FACILITY BPX.UNLIMITED.OUTPUT NONE
FACILITY CSVAPF.data_set_name (excluding CSVAPF.MVS.SETPROG.FORMAT. DYNAMIC) READ
FACILITY CSVDYLPA.ADD.module_name READ
FACILITY CSVDYLPA.DELETE.module_name READ
FACILITY CSVDYNEX.exit_name.function. modname (excluding CSVDYNEX.LIST, CSVDYNEX.exit_name.RECOVER, and CSVDYNEX.exit_name.CALL) READ
FACILITY CSVDYNL.lnklstname. function (excluding CSVDYNL.lnklstname.DEFINE and CSVDYNL.lnklstname.UNDEFINE) READ
UNIXPRIV SUPERUSER.FILESYS.PFSCTL NONE
UNIXPRIV SUPERUSER.FILESYS.QUIESCE NONE
UNIXPRIV SUPERUSER.FILESYS.VREGISTER NONE
UNIXPRIV SUPERUSER.IPC.RMID NONE
UNIXPRIV SUPERUSER.SETPRIORITY NONE
SURROGAT BPX.SRV.userid NONE

The RACF_SENSITIVE_RESOURCE health check will report on each resource name that it finds, flagging exceptions in a manner consistent with the original data set functions. No unique messages were added for the General Resources section.

The RACF_SENSITIVE_RESOURCE check will not validate any portion of the variable portion of the “sensitive” resource name.

The RACF_SENSITIVE_RESOURCE check will evaluate only the names which begin with the specific high level qualifier. Profiles which contain variable qualifiers or RACF variables in the high level qualifier will not be flagged.

Changes to the list of resources being evaluated causes the date associated with this check to change. That date is '20120106' (6 January 2012).

Reason for check:
The system is critically exposed if these resources are not properly protected.
z/OS® releases the check applies to:
z/OS V1R4 and later.
Parameters accepted:
Yes, you can specify a user ID as a parameter. The following example shows keywords you can use to specify an user ID (GENUSER) in the PARM field for RACF_SENSITIVE_RESOURCES. You can specify the following keywords on either HZSPRMxx or on a MODIFY command:
CHECK(RACF_SENSITIVE_RESOURCES)              
OWNER(IBMRACF)                               
DATE('date_of_the_change')
PARM(GENUSER)                               
REASON('Your reason for making the update.')          
The check verifies that the specified user ID is a syntactically valid user ID, that the user ID exists, and that the user ID is active and has not been revoked. If any of these conditions is not true, an error message is written to the IBM Health Checker for z/OS log and the check continues processing as if no parameter had been specified to the check.
User override of IBM values:
The following sample shows the defaults for customizable values for this check. Use this sample to make permanent check customizations in an HZSPRMxx parmlib member used at IBM Health Checker for z/OS startup. If you just want a one-time only update to the check defaults, omit the first line (ADDREPLACE POLICY) and use the UPDATE statement on a MODIFY hzsproc command. Note that using non-POLICY UPDATEs in HZSPRMxx can lead to unexpected results and is therefore not recommended.
ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES),
SEVERITY(HI),INTERVAL(08:00),DATE('date_of_the_change')
REASON('Your reason for making the update.') 
Debug support:
Yes, the check provides additional error detail in debug mode. You can put a check into debug mode using any of the following:
  • UPDATE,filters,DEBUG=ON parameters on either the MODIFY command or in a POLICY statement in an HZSPRMxx parmlib member
  • Overwrite the OFF value with the ON value in the DEBUG column of the CK panel in SDSF.
Verbose support:
No.
Reference:
For more information on storage increments, see z/OS Security Server RACF Security Administrator's Guide and z/OS Security Server RACF Auditor's Guide.
Messages:
This check issues the following messages:
  • IRRH204E
See z/OS Security Server RACF Messages and Codes.
SECLABEL recommended for multilevel security users:
SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.
Output:
The report that RACF_SENSITIVE_RESOURCES produces is shown below. The columns in this report are as follows:
S
Status. An E in this column indicates that the check found an exception and that there is excessive access authority allowed to the data set. A V in this column indicates that the data set is not on the volume. A U in this column indicates that the check did not complete because the dataset was in use by another user.
Data set name
The name of the data set
Vol
The volume upon which the data set resides
UACC
The UACC of the profile that covers the data set
WARN
The WARNING attribute of the profile that covers the data set
ID(*)
The access level assigned to the * user ID on the access list
User
If the installation specified a user ID in the PARMLIB entry for the RACF_SENSITIVE_RESOURCES check PARMLIB, the User column contains the string >xxxx, where xxxx is either Read or None.
RACF_SENSITIVE_RESOURCES report without an exception, without a user ID:
1CHECK(IBMRACF,RACF_SENSITIVE_RESOURCES)
 SYSPLEX:    LOCAL     SYSTEM: RACFR21
 START TIME: 05/24/2013 13:13:46.412092
 CHECK DATE: 20120106  CHECK SEVERITY: HIGH
 
                            APF Dataset Report
 
 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   ASM.SASMMOD1                            ZDR21  Read No   ****
   CBC.SCCNCMP                             ZDR21  Read No   ****
   CBC.SCLBDLL                             ZDR21  Read No   ****
   CBC.SCLBDLL2                            ZDR21  Read No   ****
   CEE.SCEERUN                             ZDR21  Read No   ****
   CEE.SCEERUN2                            ZDR21  Read No   ****
   CSF.SCSFMOD0                            ZDR21  Read No   ****
   EOY.SEOYLOAD                            ZDR21  Read No   ****
   FFST.V120ESA.SEPWMOD1                   ZDR21
   FFST.V120ESA.SEPWMOD2                   ZDR21
   GDDM.SADMMOD                            ZDR21  Read No   ****
   GIM.SGIMLMD0                            ZDR21  Read No   ****
   ISF.SISFLINK                            ZDR21  Read No   ****
   ISF.SISFLOAD                            ZDR21  Read No   ****
   ISP.SISPLOAD                            ZDR21  Read No   ****
   ISP.SISPLPA                             ZDR21  Read No   ****
   RACFDRVR.ATC.AUTHLIB                    D79PK5
   RACF321.MIGLIB                          D97107
   SYS1.CMDLIB                             ZDR21  Read No   ****
   SYS1.DFQLLIB                            ZDR21  Read No   ****
   SYS1.DGTLLIB                            ZDR21  Read No   ****
   SYS1.LINKLIB                            ZDR21  Read No   ****
   SYS1.SBDTLIB                            ZDR21  Read No   ****
   SYS1.SBDTLINK                           ZDR21  Read No   ****
   SYS1.SCBDHENU                           ZDR21  Read No   ****
   SYS1.SERBLINK                           ZDR21  Read No   ****
   SYS1.SHASLNKE                           ZDR21  Read No   ****
   SYS1.SHASMIG                            ZDR21  Read No   ****
   SYS1.SIATLIB                            ZDR21  Read No   ****
   SYS1.SIATLINK                           ZDR21  Read No   ****
   SYS1.SIATLPA                            ZDR21  Read No   ****
   SYS1.SIATMIG                            ZDR21  Read No   ****
   SYS1.SICELINK                           ZDR21  Read No   ****
   SYS1.SIEALNKE                           ZDR21  Read No   ****
   SYS1.SIOALMOD                           ZDR21  Read No   ****
   SYS1.SISTCLIB                           ZDR21  Read No   ****
   SYS1.SVCLIB                             ZDR21  Read No   ****
   SYS1.VTAMLIB                            ZDR21  Read No   ****
   TCPIP.SEZADSIL                          ZDR21  Read No   ****
   TCPIP.SEZALNK2                          ZDR21  Read No   ****
   TCPIP.SEZALOAD                          ZDR21  Read No   ****
   TCPIP.SEZATCP                           ZDR21  Read No   ****
 
                           RACF Dataset Report
 
 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   RACFDRVR.RACF31D                        RDB31D None No   ****
 
                          PARMLIB Dataset Report
 
 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   RACFDRVR.PARMLIB.ZR10                   D94RF4 Read No   ****
   RACFDRVR.PARMLIB.ZR11                   D94RF4 Read No   ****
   RACFDRVR.PARMLIB.ZR12                   D94RF4 Read No   ****
   RACFDRVR.PARMLIB.ZR13                   D94RF4 Read No   ****
   RACFDRVR.PARMLIB.Z21                    D94RF4 Read No   ****
   SYS1.PARMLIB                            ZDR21  Read No   ****
   SYS1.PARMLIB.INSTALL                    ZDR21
   SYS1.PARMLIB.POK                        ZDR21
 
                     Current Link List Dataset Report
 
 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   ASM.SASMMOD1                            ZDR21  Read No   ****
   CBC.SCLBDLL                             ZDR21  Read No   ****
   CEE.SCEERUN                             ZDR21  Read No   ****
   CEE.SCEERUN2                            ZDR21  Read No   ****
   COMMON.LOOKFEEL.LINKLIB                 ZDR21
   CSF.SCSFMOD0                            ZDR21  Read No   ****
   EOY.SEOYLOAD                            ZDR21  Read No   ****
   GDDM.SADMMOD                            ZDR21  Read No   ****
   GIM.SGIMLMD0                            ZDR21  Read No   ****
   ISF.SISFLINK                            ZDR21  Read No   ****
   ISF.SISFLOAD                            ZDR21  Read No   ****
   ISF.SISFMIG                             ZDR21  Read No   ****
   ISF.SISFMOD1                            ZDR21  Read No   ****
   ISP.SISPLOAD                            ZDR21  Read No   ****
   RACF321.MIGLIB                          D97107
   RACF321.SIEALNKE                        D97107
   SYS1.CMDLIB                             ZDR21  Read No   ****
   SYS1.CSSLIB                             ZDR21  Read No   ****
   SYS1.DFQLLIB                            ZDR21  Read No   ****
   SYS1.DGTLLIB                            ZDR21  Read No   ****
   SYS1.LINKLIB                            ZDR21  Read No   ****
   SYS1.MIGLIB                             ZDR21  Read No   ****
   SYS1.SERBLINK                           ZDR21  Read No   ****
   SYS1.SHASLNKE                           ZDR21  Read No   ****
   SYS1.SHASMIG                            ZDR21  Read No   ****
   SYS1.SIATLIB                            ZDR21  Read No   ****
   SYS1.SIATLINK                           ZDR21  Read No   ****
   SYS1.SIATLPA                            ZDR21  Read No   ****
   SYS1.SIATMIG                            ZDR21  Read No   ****
   SYS1.SICELINK                           ZDR21  Read No   ****
   SYS1.SIEALNKE                           ZDR21  Read No   ****
   SYS1.SIEAMIGE                           ZDR21  Read No   ****
   SYS1.SIOALMOD                           ZDR21  Read No   ****
   SYS1.SORTLIB                            ZDR21  Read No   ****
   SYS1.VTAMLIB                            ZDR21  Read No   ****
   SYS2.CSSLIB                             ZDR21
   SYS2.LINKLIB                            ZDR21
   SYS2.MIGLIB                             ZDR21
   SYS2.SIEALNKE                           ZDR21
   SYS2.SIEAMIGE                           ZDR21
   TCPIP.SEZALOAD                          ZDR21  Read No   ****
 
                        System Rexx Dataset Report
 
 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   SYS1.SAXREXEC                           ZDR21  Read No   ****
 

                           ICSF Dataset Report

 S Data Set Name                           Vol    UACC Warn ID*  User
 - --------------------------------------- ------ ---- ---- ---- ----
   SYSTEMA.PKDS
   SYSTEMA.CKDS


                    Sensitive General Resources Report
 
 S Resource Name                           Class    UACC Warn ID*  User
 - --------------------------------------- -------- ---- ---- ---- ----
   BPX.DAEMON                              FACILITY None No   ****
   BPX.DEBUG                               FACILITY None No   ****
   BPX.FILEATTR.APF                        FACILITY None No   ****
   BPX.FILEATTR.PROGCTL                    FACILITY None No   ****
   BPX.SERVER                              FACILITY None No   ****
   BPX.SUPERUSER                           FACILITY None No   ****
   BPX.WLMSERVER                           FACILITY None No   ****
   CSVAPF.RACFDEV.**.LOAD                  FACILITY Read No   ****
   CSVDYLPA.ADD.MODULE01                   FACILITY Read No   ****
   CSVDYLPA.DELETE.MODULE01                FACILITY Read No   ****
   CSVDYLPA.ADD.*                          FACILITY Read No   ****
   CSVDYLPA.DELETE.*                       FACILITY Read No   ****
   CSVDYNEX.EXITNAME_READ.MODNAME01        FACILITY Read No   ****
   CSVDYNEX.*.DEFINE                       FACILITY Read No   ****
   CSVDYNEX.*                              FACILITY Read No   ****
   CSVDYNL.ADD                             FACILITY None No   ****
   CSVDYNL.LINKLIST01.ADD                  FACILITY None No   ****
   CSVDYNL.LINKLIST01.DELETE               FACILITY None No   ****
   CSVDYNL.*.ADD                           FACILITY None No   ****
   CSVDYNL.*.DELETE                        FACILITY None No   ****
   IEAABD.DMPAKEY                          FACILITY None No   ****
   IEAABD.DMPAUTH                          FACILITY None No   ****
   ICHBLP                                  FACILITY None No   ****
   IRR.PASSWORD.RESET                      FACILITY None No   ****
   MVS.HALT.EOD                            OPERCMDS Read No   ****
   MVS.HALT.NET                            OPERCMDS Read No   ****
   MVS.SET.PROG                            OPERCMDS Read No   ****
   MVS.SETPROG                             OPERCMDS Read No   ****
   MVS.SLIP                                OPERCMDS Read No   ****
   ACCT                                    TSOAUTH  None No   ****
   CONSOLE                                 TSOAUTH  None No   ****
   OPER                                    TSOAUTH  None No   ****
   PARMLIB                                 TSOAUTH  None No   ****
   TESTAUTH                                TSOAUTH  None No   ****
   SUPERUSER.FILESYS                       UNIXPRIV
   SUPERUSER.FILESYS.CHANGEPERMS           UNIXPRIV
   SUPERUSER.FILESYS.CHOWN                 UNIXPRIV
   SUPERUSER.FILESYS.MOUNT                 UNIXPRIV
   SUPERUSER.PROCESS.GETPSENT              UNIXPRIV
   SUPERUSER.PROCESS.KILL                  UNIXPRIV
   SUPERUSER.PROCESS.PTRACE                UNIXPRIV
 

                             ICHAUTAB Report
 
 S Module   REQUEST= REQUEST= Location
            VERIFY   LIST
 - -------- -------- -------- --------
 
 IRRH239I There are no ICHAUTAB programs on this system.
 
 IRRH205I The RACF_SENSITIVE_RESOURCES check has not found any errors in
 the security controls on this system.
 
 END TIME: 05/24/2013 13:13:48.281732  STATUS: SUCCESSFUL
RACF_SENSITIVE_RESOURCES report with exceptions, with a user ID:
	                                                                           
	                         RACF Dataset Report                              
                                                                          
 S Data Set Name                           Vol    UACC Warn ID*  User     
 - --------------------------------------- ------ ---- ---- ---- ----     
 E RACFDRVR.RACF317                        RDB317 None No   **** >None     
* High severity Exception *                                               
RACF_SENSITIVE_RESOURCES report without exceptions:Note that no user ID was specified for this report.
START TIME: 11/18/2004 16:54:09.533912  IBMRACF,                        
RACF_SENSITIVE_RESOURCES                                                
	OWNER DATE: 
	                                                        
	                          APF Dataset Report            
                                                                                                                                                 
                                                                       
 S Data Set Name                           Vol    UACC Warn ID*  User   
 - --------------------------------------- ------ ---- ---- ---- ----   
   MVSSTORE.SRVLIB.ZOS15.NUCLEUS           DRVPSL None No   ****        
   SYS1.LINKLIB                            ZDR17B Read No   ****        
   SYS1.NFSLIB                             ZDR17B Read No   ****        
   SYS1.SIATLPA                            ZDR17B Read No   ****        
   SYS1.SVCLIB                             ZDR17B **** **** ****        
                                                                               
	                                                                           
	                         RACF Dataset Report                              
                                                                                                                                    
                                                                               
 S Data Set Name                           Vol    UACC Warn ID*  User          
 - --------------------------------------- ------ ---- ---- ---- ----          
   RACFDRVR.RACF317                        RDB317 None No   ****               
                                                                               
IRRH205I   The RACF check RACF_SENSITIVE_RESOURCES has not found        
    any errors in the security controls on this system.