RACF Audit

edit

A RACF audit is a comprehensive evaluation of security that examines the RACF database and related z/OS settings on an IBM Mainframe. The audit is performed by finding deviations from IBM best practice or installation specific settings. The audit may offer remedial action to reduce vulnerabilities.

Definitions

edit

RACF is an acronym for Resource Access Control Facility.

z/OS is the most common IBM Mainframe operating system. It was first released in 1974 as MVS and has had several distinct incarnations as capabilities were added. MVS was renamed to z/OS in 2000.


Audit Items

edit

IPL Volume and Device

Field name Information in field What to look for Example of concerns
IPL volume Volser Any change IPL from unapproved location
IPL device Device/Unit address Any change

SMF Parameters

Field name Field detail Possible values Definition and concerns
Active ACTIVE value from SMFPRMxx Yes, No No indicates SMF logging is off
Job Wait Time JWT value from SMFPRMxx HH:MM The maximum amount of time that a job or TSO/E session may be inactive
MaxDorm MAXDORM value from SMFPRMxx HH:MM or none The maximum time that data remains in the SMF buffer before it is written to the SMF log.
Temp17 REC value from SMFPRMxx Yes, No The REC value specifies whether information for type 17 SMF records is saved. These are temp data sets.
NoBuffsHalt NOBUFFS value from SMFPRMxx Yes, No
LastDSHalt LASTDS value from SMFPRMxx Yes, No