Skip to main content

Automated RACF security auditing — CIS Benchmarks

Project description

MFAudit

Automated RACF security auditing — from raw data exports to a styled report in one command.

MFAudit reads the runtime exports that every z/OS system can produce — an IRRDBU00 unload and a SETROPTS REXX export — and evaluates them against a library of security controls drawn from the CIS z/OS Benchmarks. The result is a PDF report, a CSV of all findings, and a clear pass/fail/review verdict for every control.

Full documentation → mfaudit.readthedocs.io


What you get

46 CIS controls Password policy, class activation, STARTED tasks, Unix System Services, Db2, CICS
Custom controls Write your own shop-specific rules in YAML with the same engine
Anonymized reports Replace all user/group/profile names with stable labels before sharing externally

Quick start

# 1  Install
pip install mfaudit                  # includes WeasyPrint for PDF output

# 2  Get the controls library
git clone https://github.com/wizardofzos/mfaudit.git
cd mfaudit

# 3  Run (outputs land in current directory by default)
mfaudit --irrdbu00 /path/to/IRRDBU00 \
        --setropts  /path/to/SETROPTS \
        --controls  controls.yaml

# 4  Open
open report.pdf

Repository layout

controls.yaml            46 CIS Benchmark controls (z/OS, Db2, CICS)
example_controls.yaml     Example custom controls
mfaudit/                 Installed Python package (CLI entry point: mfaudit)
docs/                    MkDocs documentation (readthedocs.io)

Writing your own controls

Controls are YAML. Every control names the exact mfpandas DataFrame and column(s) it uses.

controls:
  - control_id: CUSTOM-NO-DUAL-PRIVS
    title: "No active user may hold both SPECIAL and OPERATIONS"
    severity: high
    custom:
      benchmark: "Internal policy"
      category:  "Privileged access"
    data_sources_needed: [irrdbu00]
    implementation:
      engine: python
      dataset: irrdbu00.users
      select_columns: [USBD_NAME, USBD_SPECIAL, USBD_OPER]
      logic: |
        hits = df[
            (df['USBD_SPECIAL'] == 'YES') &
            (df['USBD_OPER'] == 'YES') &
            (df['USBD_REVOKE'] != 'YES')
        ]
        status = 'FAIL' if not hits.empty else 'PASS'
        detail = f"{len(hits)} user(s) hold both SPECIAL and OPERATIONS"
        findings = hits.to_dict('records')
    remediation: "ALTUSER <userid> NOSPECIAL  or  ALTUSER <userid> NOOPER"

Two engines are available:

Engine Use when
pandas_query Single filter expression; empty result = PASS
python Multi-DataFrame logic, conditional branching, per-row decisions

See the Authoring controls documentation for the full schema and Python engine variable reference.


Data sources

Source mfpandas class How to collect
--setropts SETROPTS REXX/IRRXUTIL export (KEY:VALUE format)
--irrdbu00 IRRDBU00 IRRDBU00 batch utility unload
--dcollect DCOLLECT IDCAMS DCOLLECT output (optional)

Detailed collection instructions are in the Quick start guide.


Requirements

  • Python 3.9 or later
  • pip install mfaudit — installs all dependencies including WeasyPrint for PDF output
  • For pure-Python PDF fallback: pip install "mfaudit[pdf-xhtml]" adds xhtml2pdf

Disclaimer

All findings must be validated by a qualified RACF security administrator before remediation. REVIEW-status items require human judgment and cannot be automatically determined compliant or non-compliant.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mfaudit-0.1.0.tar.gz (45.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mfaudit-0.1.0-py3-none-any.whl (47.6 kB view details)

Uploaded Python 3

File details

Details for the file mfaudit-0.1.0.tar.gz.

File metadata

  • Download URL: mfaudit-0.1.0.tar.gz
  • Upload date:
  • Size: 45.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.0.tar.gz
Algorithm Hash digest
SHA256 aca998316df8d77219d527227afcd3f98ae912ae1294d82a0ade322d5ec1d68c
MD5 dc427514ac51d1f97c7a1dd016ac2c87
BLAKE2b-256 dcb4bccbdfaedc446bb36443cdc24aa959a179517f25a9f424b87c8ae5054360

See more details on using hashes here.

File details

Details for the file mfaudit-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: mfaudit-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 47.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cec1d6e4930c98a5b545343792574f332687c5b59ad67654fa0e9bfa1b6bc124
MD5 03bdd14fa2ee81f6b8da34fb490751c9
BLAKE2b-256 18818ffa1389ebb349d0b0786d977672e707aac93d6347ca1891da0c79a79035

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page