Skip to main content

Automated RACF security auditing — CIS Benchmarks

Project description

MFAudit

PyPI Downloads

Automated RACF security auditing — from raw RACF exports to audit-ready reports in a single command.

MFAudit reads standard z/OS security exports — IRRDBU00 unloads and SETROPTS REXX exports — and evaluates them against CIS Benchmark, STIG, and custom RACF security controls.

The result:

  • styled PDF reports;
  • CSV exports;
  • JSON exports;
  • deterministic PASS / FAIL / REVIEW verdicts;
  • optional anonymized output for external sharing.

Full documentation → mfaudit.readthedocs.io


What you get

46+ CIS controls Password policy, class activation, STARTED tasks, USS, Db2, CICS
Custom controls Write organization-specific RACF checks in YAML
PDF reports Human-readable audit reports with findings and summaries
CSV exports Spreadsheet, SIEM, and dashboard integration
JSON exports Splunk, Elastic, APIs, and automation workflows
Anonymized reports Replace RACF identifiers with stable pseudonymous labels

Quick start

# 1  Install MFAudit
pip install mfaudit

# 2  Run the audit (bundled CIS controls used by default)
mfaudit \
  --irrdbu00 /path/to/IRRDBU00 \
  --setropts /path/to/SETROPTS

# 3  Open the report
open report.pdf             # macOS
xdg-open report.pdf         # Linux
start report.pdf            # Windows

Default behavior:

--format CSV,PDF

Controls requiring unavailable data sources are automatically marked as SKIP.


Output formats

Default outputs

mfaudit

Generated files:

report.pdf
controls_results.csv

JSON output

mfaudit --format JSON

Generated file:

controls_results.json

Multiple output formats

mfaudit --format CSV,JSON,PDF

Generated files:

report.pdf
controls_results.csv
controls_results.json

Supported values:

Format Output
PDF report.pdf
CSV controls_results.csv
JSON controls_results.json

Repository layout

controls.yaml               CIS Benchmark controls
example_controls.yaml       Example custom controls
mfaudit/                    Python package and CLI
templates/                  Bundled report templates
docs/                       MkDocs / ReadTheDocs documentation

Writing your own controls

Controls are YAML-based.

Each control explicitly defines:

  • the required data source;
  • the mfpandas DataFrame;
  • the logic engine;
  • the assertion logic;
  • remediation guidance.

Example:

controls:
  - control_id: CUSTOM-NO-DUAL-PRIVS

    title: "No active user may hold both SPECIAL and OPERATIONS"

    severity: high

    custom:
      benchmark: "Internal policy"
      category: "Privileged access"

    data_sources_needed:
      - irrdbu00

    implementation:
      engine: python

      dataset: irrdbu00.users

      select_columns:
        - USBD_NAME
        - USBD_SPECIAL
        - USBD_OPER

      logic: |
        hits = df[
            (df['USBD_SPECIAL'] == 'YES') &
            (df['USBD_OPER'] == 'YES') &
            (df['USBD_REVOKE'] != 'YES')
        ]

        status = 'FAIL' if not hits.empty else 'PASS'

        detail = f"{len(hits)} user(s) hold both SPECIAL and OPERATIONS"

        findings = hits.to_dict('records')

    remediation: >
      ALTUSER <userid> NOSPECIAL
      or
      ALTUSER <userid> NOOPER

Available engines

Engine Use case
pandas_query Simple DataFrame filtering and assertions
python Multi-DataFrame logic, branching, advanced analysis

See:

Authoring controls →

for the complete schema and engine reference.


Data sources

Source mfpandas class Collection method
--setropts SETROPTS IRRXUTIL/REXX export (KEY:VALUE)
--irrdbu00 IRRDBU00 IRRDBU00 RACF unload
--dcollect DCOLLECT IDCAMS DCOLLECT output (optional)

See:

Quick start guide →

for detailed collection instructions.


Templates

Bundled templates:

Template Style
default Light corporate report
terminal Green phosphor 3270-style terminal theme

Example:

mfaudit --template terminal

List available templates:

mfaudit --list-templates

Anonymized reporting

Generate reports safe for external sharing:

mfaudit --format CSV,JSON,PDF \
         --anonymize

Example anonymized identifiers:

USR-0001
GRP-0042
PRF-0017

Mappings remain stable during a single execution run so findings remain readable and correlatable.


Requirements

  • Python 3.9 or later
  • pip install mfaudit
  • Optional:
    • pip install "mfaudit[pdf-xhtml]"

WeasyPrint is the preferred PDF renderer.

If unavailable, MFAudit automatically falls back to xhtml2pdf when installed.

CSV and JSON output remain available even if PDF rendering fails.


Use cases

  • RACF security assessments
  • CIS Benchmark validation
  • STIG evidence generation
  • Internal audit preparation
  • Mainframe compliance automation
  • Continuous RACF posture monitoring
  • Security baseline verification
  • SIEM evidence export
  • Splunk/Elastic integrations

Disclaimer

All findings must be reviewed and validated by qualified RACF security personnel before remediation.

REVIEW status findings require human assessment and cannot be automatically classified as compliant or non-compliant.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mfaudit-0.1.3.tar.gz (47.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mfaudit-0.1.3-py3-none-any.whl (48.1 kB view details)

Uploaded Python 3

File details

Details for the file mfaudit-0.1.3.tar.gz.

File metadata

  • Download URL: mfaudit-0.1.3.tar.gz
  • Upload date:
  • Size: 47.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.3.tar.gz
Algorithm Hash digest
SHA256 de5cfc29bca0457d5a690c3979f35db01570544352d1be75fcdc9e70383752f9
MD5 1b3577e6c84117a1405faf4a3afc85dd
BLAKE2b-256 f654c0e8ee022d0800e6fb7d23e5f791201697fabdfe99f53a6bd10e3f3f004d

See more details on using hashes here.

File details

Details for the file mfaudit-0.1.3-py3-none-any.whl.

File metadata

  • Download URL: mfaudit-0.1.3-py3-none-any.whl
  • Upload date:
  • Size: 48.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.3-py3-none-any.whl
Algorithm Hash digest
SHA256 05a772cbc882a1fad239c50b4708ef38763e767e2bcb131355b4f130eb423f3f
MD5 df3a40c548750f3c87b96d888e0063f4
BLAKE2b-256 2a7aead047e7cebdef75b26223f0f29fc6b4481ad3e3fdc1158634eb3290624f

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page