Skip to main content

Automated RACF security auditing — CIS Benchmarks

Project description

MFAudit

Automated RACF security auditing — from raw RACF exports to audit-ready reports in a single command.

MFAudit reads standard z/OS security exports — IRRDBU00 unloads and SETROPTS REXX exports — and evaluates them against CIS Benchmark, STIG, and custom RACF security controls.

The result:

  • styled PDF reports;
  • CSV exports;
  • JSON exports;
  • deterministic PASS / FAIL / REVIEW verdicts;
  • optional anonymized output for external sharing.

Full documentation → mfaudit.readthedocs.io


What you get

46+ CIS controls Password policy, class activation, STARTED tasks, USS, Db2, CICS
Custom controls Write organization-specific RACF checks in YAML
PDF reports Human-readable audit reports with findings and summaries
CSV exports Spreadsheet, SIEM, and dashboard integration
JSON exports Splunk, Elastic, APIs, and automation workflows
Anonymized reports Replace RACF identifiers with stable pseudonymous labels

Quick start

# 1  Install MFAudit
pip install mfaudit

# 2  Clone the repository to get the controls library
git clone https://github.com/wizardofzos/mfaudit.git
cd mfaudit

# 3  Run the audit
mfaudit \
  --irrdbu00 /path/to/IRRDBU00 \
  --setropts /path/to/SETROPTS \
  --controls controls.yaml

# 4  Open the report
open report.pdf             # macOS
xdg-open report.pdf         # Linux
start report.pdf            # Windows

Default behavior:

--format CSV,PDF

Controls requiring unavailable data sources are automatically marked as SKIP.


Output formats

Default outputs

mfaudit --controls controls.yaml

Generated files:

report.pdf
controls_results.csv

JSON output

mfaudit --controls controls.yaml \
         --format JSON

Generated file:

controls_results.json

Multiple output formats

mfaudit --controls controls.yaml \
         --format CSV,JSON,PDF

Generated files:

report.pdf
controls_results.csv
controls_results.json

Supported values:

Format Output
PDF report.pdf
CSV controls_results.csv
JSON controls_results.json

Repository layout

controls.yaml               CIS Benchmark controls
example_controls.yaml       Example custom controls
mfaudit/                    Python package and CLI
templates/                  Bundled report templates
docs/                       MkDocs / ReadTheDocs documentation

Writing your own controls

Controls are YAML-based.

Each control explicitly defines:

  • the required data source;
  • the mfpandas DataFrame;
  • the logic engine;
  • the assertion logic;
  • remediation guidance.

Example:

controls:
  - control_id: CUSTOM-NO-DUAL-PRIVS

    title: "No active user may hold both SPECIAL and OPERATIONS"

    severity: high

    custom:
      benchmark: "Internal policy"
      category: "Privileged access"

    data_sources_needed:
      - irrdbu00

    implementation:
      engine: python

      dataset: irrdbu00.users

      select_columns:
        - USBD_NAME
        - USBD_SPECIAL
        - USBD_OPER

      logic: |
        hits = df[
            (df['USBD_SPECIAL'] == 'YES') &
            (df['USBD_OPER'] == 'YES') &
            (df['USBD_REVOKE'] != 'YES')
        ]

        status = 'FAIL' if not hits.empty else 'PASS'

        detail = f"{len(hits)} user(s) hold both SPECIAL and OPERATIONS"

        findings = hits.to_dict('records')

    remediation: >
      ALTUSER <userid> NOSPECIAL
      or
      ALTUSER <userid> NOOPER

Available engines

Engine Use case
pandas_query Simple DataFrame filtering and assertions
python Multi-DataFrame logic, branching, advanced analysis

See:

Authoring controls →

for the complete schema and engine reference.


Data sources

Source mfpandas class Collection method
--setropts SETROPTS IRRXUTIL/REXX export (KEY:VALUE)
--irrdbu00 IRRDBU00 IRRDBU00 RACF unload
--dcollect DCOLLECT IDCAMS DCOLLECT output (optional)

See:

Quick start guide →

for detailed collection instructions.


Templates

Bundled templates:

Template Style
default Light corporate report
terminal Green phosphor 3270-style terminal theme

Example:

mfaudit --controls controls.yaml \
         --template terminal

List available templates:

mfaudit --list-templates

Anonymized reporting

Generate reports safe for external sharing:

mfaudit --controls controls.yaml \
         --format CSV,JSON,PDF \
         --anonymize

Example anonymized identifiers:

USR-0001
GRP-0042
PRF-0017

Mappings remain stable during a single execution run so findings remain readable and correlatable.


Requirements

  • Python 3.9 or later
  • pip install mfaudit
  • Optional:
    • pip install "mfaudit[pdf-xhtml]"

WeasyPrint is the preferred PDF renderer.

If unavailable, MFAudit automatically falls back to xhtml2pdf when installed.

CSV and JSON output remain available even if PDF rendering fails.


Use cases

  • RACF security assessments
  • CIS Benchmark validation
  • STIG evidence generation
  • Internal audit preparation
  • Mainframe compliance automation
  • Continuous RACF posture monitoring
  • Security baseline verification
  • SIEM evidence export
  • Splunk/Elastic integrations

Disclaimer

All findings must be reviewed and validated by qualified RACF security personnel before remediation.

REVIEW status findings require human assessment and cannot be automatically classified as compliant or non-compliant.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mfaudit-0.1.2.tar.gz (46.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mfaudit-0.1.2-py3-none-any.whl (48.0 kB view details)

Uploaded Python 3

File details

Details for the file mfaudit-0.1.2.tar.gz.

File metadata

  • Download URL: mfaudit-0.1.2.tar.gz
  • Upload date:
  • Size: 46.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.2.tar.gz
Algorithm Hash digest
SHA256 1f8c2f87fe8706e98cdf6453dfb06045d623b325e8bcc626630fd7fdc24e1afa
MD5 bd4e8b68cbc571238f64fe0df11d621e
BLAKE2b-256 8e49920a3617f26dd3fc7efa3606c4f26081f84a7e0b0cacaa29aeee379dad0b

See more details on using hashes here.

File details

Details for the file mfaudit-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: mfaudit-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 48.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for mfaudit-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 c11dc7a8dab15f44b675a438a56a5e0fb4cd5ac853a16233be56df9c9c15610e
MD5 c80bc7f1b2b9c9233a6494e7b94eeef3
BLAKE2b-256 2d6492bdfedd563d19604c186083c56563fc03e2c09df3ac0f2eae77773a62ad

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page