Automated RACF security auditing — CIS Benchmarks
Project description
MFAudit
Automated RACF security auditing — from raw RACF exports to audit-ready reports in a single command.
MFAudit reads standard z/OS security exports — IRRDBU00 unloads and SETROPTS REXX exports — and evaluates them against CIS Benchmark, STIG, and custom RACF security controls.
The result:
- styled PDF reports;
- CSV exports;
- JSON exports;
- deterministic PASS / FAIL / REVIEW verdicts;
- optional anonymized output for external sharing.
Full documentation → mfaudit.readthedocs.io
What you get
| 46+ CIS controls | Password policy, class activation, STARTED tasks, USS, Db2, CICS |
| Custom controls | Write organization-specific RACF checks in YAML |
| PDF reports | Human-readable audit reports with findings and summaries |
| CSV exports | Spreadsheet, SIEM, and dashboard integration |
| JSON exports | Splunk, Elastic, APIs, and automation workflows |
| Anonymized reports | Replace RACF identifiers with stable pseudonymous labels |
Quick start
# 1 Install MFAudit
pip install mfaudit
# 2 Run the audit (bundled CIS controls used by default)
mfaudit \
--irrdbu00 /path/to/IRRDBU00 \
--setropts /path/to/SETROPTS
# 3 Open the report
open report.pdf # macOS
xdg-open report.pdf # Linux
start report.pdf # Windows
Default behavior:
--format CSV,PDF
Controls requiring unavailable data sources are automatically marked as SKIP.
Output formats
Default outputs
mfaudit
Generated files:
report.pdf
controls_results.csv
JSON output
mfaudit --format JSON
Generated file:
controls_results.json
Multiple output formats
mfaudit --format CSV,JSON,PDF
Generated files:
report.pdf
controls_results.csv
controls_results.json
Supported values:
| Format | Output |
|---|---|
PDF |
report.pdf |
CSV |
controls_results.csv |
JSON |
controls_results.json |
Repository layout
controls.yaml CIS Benchmark controls
example_controls.yaml Example custom controls
mfaudit/ Python package and CLI
templates/ Bundled report templates
docs/ MkDocs / ReadTheDocs documentation
Writing your own controls
Controls are YAML-based.
Each control explicitly defines:
- the required data source;
- the mfpandas DataFrame;
- the logic engine;
- the assertion logic;
- remediation guidance.
Example:
controls:
- control_id: CUSTOM-NO-DUAL-PRIVS
title: "No active user may hold both SPECIAL and OPERATIONS"
severity: high
custom:
benchmark: "Internal policy"
category: "Privileged access"
data_sources_needed:
- irrdbu00
implementation:
engine: python
dataset: irrdbu00.users
select_columns:
- USBD_NAME
- USBD_SPECIAL
- USBD_OPER
logic: |
hits = df[
(df['USBD_SPECIAL'] == 'YES') &
(df['USBD_OPER'] == 'YES') &
(df['USBD_REVOKE'] != 'YES')
]
status = 'FAIL' if not hits.empty else 'PASS'
detail = f"{len(hits)} user(s) hold both SPECIAL and OPERATIONS"
findings = hits.to_dict('records')
remediation: >
ALTUSER <userid> NOSPECIAL
or
ALTUSER <userid> NOOPER
Available engines
| Engine | Use case |
|---|---|
pandas_query |
Simple DataFrame filtering and assertions |
python |
Multi-DataFrame logic, branching, advanced analysis |
See:
for the complete schema and engine reference.
Data sources
| Source | mfpandas class | Collection method |
|---|---|---|
--setropts |
SETROPTS |
IRRXUTIL/REXX export (KEY:VALUE) |
--irrdbu00 |
IRRDBU00 |
IRRDBU00 RACF unload |
--dcollect |
DCOLLECT |
IDCAMS DCOLLECT output (optional) |
See:
for detailed collection instructions.
Templates
Bundled templates:
| Template | Style |
|---|---|
default |
Light corporate report |
terminal |
Green phosphor 3270-style terminal theme |
Example:
mfaudit --template terminal
List available templates:
mfaudit --list-templates
Anonymized reporting
Generate reports safe for external sharing:
mfaudit --format CSV,JSON,PDF \
--anonymize
Example anonymized identifiers:
USR-0001
GRP-0042
PRF-0017
Mappings remain stable during a single execution run so findings remain readable and correlatable.
Requirements
- Python 3.9 or later
pip install mfaudit- Optional:
pip install "mfaudit[pdf-xhtml]"
WeasyPrint is the preferred PDF renderer.
If unavailable, MFAudit automatically falls back to xhtml2pdf when installed.
CSV and JSON output remain available even if PDF rendering fails.
Use cases
- RACF security assessments
- CIS Benchmark validation
- STIG evidence generation
- Internal audit preparation
- Mainframe compliance automation
- Continuous RACF posture monitoring
- Security baseline verification
- SIEM evidence export
- Splunk/Elastic integrations
Disclaimer
All findings must be reviewed and validated by qualified RACF security personnel before remediation.
REVIEW status findings require human assessment and cannot be automatically classified as compliant or non-compliant.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mfaudit-0.1.3.tar.gz.
File metadata
- Download URL: mfaudit-0.1.3.tar.gz
- Upload date:
- Size: 47.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
de5cfc29bca0457d5a690c3979f35db01570544352d1be75fcdc9e70383752f9
|
|
| MD5 |
1b3577e6c84117a1405faf4a3afc85dd
|
|
| BLAKE2b-256 |
f654c0e8ee022d0800e6fb7d23e5f791201697fabdfe99f53a6bd10e3f3f004d
|
File details
Details for the file mfaudit-0.1.3-py3-none-any.whl.
File metadata
- Download URL: mfaudit-0.1.3-py3-none-any.whl
- Upload date:
- Size: 48.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
05a772cbc882a1fad239c50b4708ef38763e767e2bcb131355b4f130eb423f3f
|
|
| MD5 |
df3a40c548750f3c87b96d888e0063f4
|
|
| BLAKE2b-256 |
2a7aead047e7cebdef75b26223f0f29fc6b4481ad3e3fdc1158634eb3290624f
|