More granular setup of healthcheck RACF_SENSITIVE_RESOURCES

The RACF_SENSITIVE_RESOURCES verifies that a basic set of controls are in place to protect the operation of z/OS and key subsystems. We are not planning on making any elements of this check optional or selectable. However, there is an alternative that is available on all supported releases of z/OS. While there is no facility to remove specific elements from the RACF_SENSITIVE_RESOURCES health check, RACF provides a way to incorporate the elements of the RACF_SENSITIVE_RESOURCES health check into your own health check simply by defining RACF profiles and creating an Health Checker parmlib member (HZSPRMxx) to register your installation-defined RACF health check with the Health Checker for z/OS. You do not have to write any code with this approach. To define your RACF Installation-defined health checks, you would define one profile in the RACFHC class for each of your desired health checks. For example, if you wanted to define a one installation-defined health check for each of the data set-based reports in the RACF_SENSITIVE_RESOURCES check (APF?) you would define these profiles:
RDEFINE RACFHC MY_APFLIST ADDMEM(IRR_APFLIST)
RDEFINE RACFHC MY_PARMLIB ADDMEM(IRR_PARMLIB)
RDEFINE RACFHC MY_ICSF ADDMEM(IRR_ICSF)
RDEFINE RACFHC MY_LINKLIST ADDMEM(IRR_LINKLIST)
RDEFINE RACFHC MY_RACFDB ADDMEM(IRR_RACFDB)
RDEFINE RACFHC MY_SYSREXX ADDMEM(IRR_SYSREXX)
RDEFINE RACFHC MY_ICHAUTAB ADDMEM(IRR_ICHAUTAB)


Be sure to activate and RACLIST the RACFHC class. The ADDMEM values represent a ?report?. For example, IRR_APFLIST is the ?APF Dataset Report?, IRR_PARMLIB is the ?PARMLIB Dataset Report? For the ?Sensitive General Resources Report?, you can create a profile which has the specific entries that you want audited. The RACF profile would have an entry like:
RDEFINE RACFHC MY_RESOURCE_LIST +
ADDMEM(FACILITY/BPX.SUPERUSER//NONE +
OPERCMDS/MVS.SETPROG//NONE +
)
You then define your installation-defined health checks to the IBM Health Checker for z/OS. The easiest way to do this is with an HZS parmlib entry for each check of the following format:
ADD CHECK(USER01,MY_APFLIST)
CHECKROUTINE(IRRHCR00)
MESSAGETABLE(IRRHCM00)
ENTRYCODE(100)
PARM('USER(NOTAUTH) RESOURCELIST(MY_APFLIST)')
DATE(20220526)
REASON('APFLIST Resources')
GLOBAL
ACTIVE
SEVERITY(HIGH)
INTERVAL(08:00)
Note that it?s one definition for each of the health checks. ?USER(NOTAUTH)? specifies a user ID which is expected to have no authority to these data sets. It is optional. Be sure to update both the check name and the PARM value which points to the profile. CHECKROUTINE, EHTRYCODE and MESSAGETABLE must be specified as shown. The last step is to activate the checks that you have just defined. That is done with the z/OS operator command (assuming that parmlib member HZSPRMM3 is the parmlib member):
F HC,ADD,PARMLIB=M3
At this point, your checks run. You can see the output in SDSF option ?CK?:
SDSF HEALTH CHECKS RACFR25 DATA SET DISPLAYED
COMMAND INPUT ===> SCROLL ===>
PREFIX=* DEST=(ALL) OWNER=* SORT=Locale/A SYSNAME=
NP NAME CheckOwner State
MY_APFLIST USER01 ACTIVE(ENABLED)
MY_ICHAUTAB USER01 ACTIVE(ENABLED)
MY_ICSF USER01 ACTIVE(ENABLED)
MY_LINKLIST USER01 ACTIVE(ENABLED)
MY_PARMLIB USER01 ACTIVE(ENABLED)
MY_RACFDB USER01 ACTIVE(ENABLED)
MY_RESOURCE_LIST USER01 ACTIVE(ENABLED)
MY_RESOURCE_LIST_NOUSER_ID USER01 ACTIVE(ENABLED)

In our case, we cannot comply to one of the checks in the list 'Sensitive General Resources Report'. That's a structural security setting, so this check will always fail in the current setup. If we could disable the 'Sensitive General Resources Report' we could still use the rest of the check to monitor/check our settings. It would even be better if we could disable each specific check individually.

The IBM Development team needs additional information in order to get a proper understanding of the situation and as a result - address the case accordingly:

1. What parameters does the customer want?
2. Which pieces of that check fail most often for the customer?