RACF Audit
editA RACF audit is a comprehensive evaluation of security that examines the RACF database and related z/OS settings on an IBM Mainframe. The audit is performed by finding deviations from IBM best practice or installation specific settings. The audit may offer remedial action to reduce vulnerabilities.
Definitions
editRACF is an acronym for Resource Access Control Facility.
z/OS is the most common IBM Mainframe operating system. It was first released in 1974 as MVS and has had several distinct incarnations as capabilities were added. MVS was renamed to z/OS in 2000.
Audit Items
editIPL Volume and Device
| Field name | Information in field | What to look for | Example of concerns |
|---|---|---|---|
| IPL volume | Volser | Any change | IPL from unapproved location |
| IPL device | Device/Unit address | Any change |
SMF Parameters
| Field name | Field detail | Possible values | Definition and concerns |
|---|---|---|---|
| Active | ACTIVE value from SMFPRMxx | Yes, No | No indicates SMF logging is off |
| Job Wait Time | JWT value from SMFPRMxx | HH:MM | The maximum amount of time that a job or TSO/E session may be inactive |
| MaxDorm | MAXDORM value from SMFPRMxx | HH:MM or none | The maximum time that data remains in the SMF buffer before it is written to the SMF log. |
| Temp17 | REC value from SMFPRMxx | Yes, No | The REC value specifies whether information for type 17 SMF records is saved. These are temp data sets. |
| NoBuffsHalt | NOBUFFS value from SMFPRMxx | Yes, No | |
| LastDSHalt | LASTDS value from SMFPRMxx | Yes, No |