Skip to main content

Automated RACF security auditing — CIS Benchmarks

Project description

MFAudit

Automated RACF security auditing — from raw data exports to a styled report in one command.

MFAudit reads the runtime exports that every z/OS system can produce — an IRRDBU00 unload and a SETROPTS REXX export — and evaluates them against a library of security controls drawn from the CIS z/OS Benchmarks. The result is a PDF report, a CSV of all findings, and a clear pass/fail/review verdict for every control.

Full documentation → mfaudit.readthedocs.io


What you get

46 CIS controls Password policy, class activation, STARTED tasks, Unix System Services, Db2, CICS
Custom controls Write your own shop-specific rules in YAML with the same engine
Anonymized reports Replace all user/group/profile names with stable labels before sharing externally

Quick start

# 1  Install
pip install mfaudit                  # includes WeasyPrint for PDF output

# 2  Get the controls library
git clone https://github.com/wizardofzos/mfaudit.git
cd mfaudit

# 3  Run (outputs land in current directory by default)
mfaudit --irrdbu00 /path/to/IRRDBU00 \
        --setropts  /path/to/SETROPTS \
        --controls  controls.yaml

# 4  Open
open report.pdf

Repository layout

controls.yaml            46 CIS Benchmark controls (z/OS, Db2, CICS)
example_controls.yaml     Example custom controls
mfaudit/                 Installed Python package (CLI entry point: mfaudit)
docs/                    MkDocs documentation (readthedocs.io)

Writing your own controls

Controls are YAML. Every control names the exact mfpandas DataFrame and column(s) it uses.

controls:
  - control_id: CUSTOM-NO-DUAL-PRIVS
    title: "No active user may hold both SPECIAL and OPERATIONS"
    severity: high
    custom:
      benchmark: "Internal policy"
      category:  "Privileged access"
    data_sources_needed: [irrdbu00]
    implementation:
      engine: python
      dataset: irrdbu00.users
      select_columns: [USBD_NAME, USBD_SPECIAL, USBD_OPER]
      logic: |
        hits = df[
            (df['USBD_SPECIAL'] == 'YES') &
            (df['USBD_OPER'] == 'YES') &
            (df['USBD_REVOKE'] != 'YES')
        ]
        status = 'FAIL' if not hits.empty else 'PASS'
        detail = f"{len(hits)} user(s) hold both SPECIAL and OPERATIONS"
        findings = hits.to_dict('records')
    remediation: "ALTUSER <userid> NOSPECIAL  or  ALTUSER <userid> NOOPER"

Two engines are available:

Engine Use when
pandas_query Single filter expression; empty result = PASS
python Multi-DataFrame logic, conditional branching, per-row decisions

See the Authoring controls documentation for the full schema and Python engine variable reference.


Data sources

Source mfpandas class How to collect
--setropts SETROPTS REXX/IRRXUTIL export (KEY:VALUE format)
--irrdbu00 IRRDBU00 IRRDBU00 batch utility unload
--dcollect DCOLLECT IDCAMS DCOLLECT output (optional)

Detailed collection instructions are in the Quick start guide.


Requirements

  • Python 3.9 or later
  • pip install mfaudit — installs all dependencies including WeasyPrint for PDF output
  • For pure-Python PDF fallback: pip install "mfaudit[pdf-xhtml]" adds xhtml2pdf

Disclaimer

All findings must be validated by a qualified RACF security administrator before remediation. REVIEW-status items require human judgment and cannot be automatically determined compliant or non-compliant.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mfaudit-0.1.1.tar.gz (45.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mfaudit-0.1.1-py3-none-any.whl (47.0 kB view details)

Uploaded Python 3

File details

Details for the file mfaudit-0.1.1.tar.gz.

File metadata

  • Download URL: mfaudit-0.1.1.tar.gz
  • Upload date:
  • Size: 45.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.1.tar.gz
Algorithm Hash digest
SHA256 61dfe8018ef8b5e3b69f2aa513b64114908ac95d24fdd6e2ba3e8279a3a51805
MD5 0b51292d6662e067ede7e9935ec4caa4
BLAKE2b-256 0b7199750bbe7c09666c61ba666cd20ab11522ebc0bee5274067ba56ba3f99eb

See more details on using hashes here.

File details

Details for the file mfaudit-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: mfaudit-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 47.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 a04ebf959f864bcc5a2af39c760f90a4836889d29836f4844d20f34fc701ea78
MD5 bfcbf3c57144522501dfd001723779ac
BLAKE2b-256 b5e648c1eb488514d4984887e8060b007da258d7657bfcc4d576b962a20450ac

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page