During my span of 3 years with information security and auditing, I've came across very few checklists/leading practices to ensure the security of a RACF (OS390/Z-OS) environment. Although RACF and Mainframes are not used widely by the corporates nowadays because of the ease of use with MS Windows, but they Mainframes is still the most stable environment and used by most of the financial firms and banks.
I thought of creating a simple checklist which will give an individual basic idea about what to look for while performing an audit of a RACF system on OS390/Z-OS. This includes password parameters, user administration and security etc.
- Enquire about the state of IBMUSER account (default). What is the current attributes for the account.
- Obtain the list of RACF users with SPECIAL/AUDITOR/OPERATIONS attributes assigned.2. Also enquire about users having CLAUTH(USER), CONNECT, JOIN, or GROUP-SPECIAL attributes.
- Obtain the SETROPTS report from the system administrator.
- Validate the PASSWORD PROCESSING OPTIONS to confirm that parameters like COMPLEXITY, HISTORY, LENGTH and ACCOUNT LOCKOUTS are configured.Recommended Password Configurations for MVS systemsLENGTH: 6:8 (Min 6 and Max 8)HISTORY: 10 Passwors remembered.CHANGE INTERVAL: 45 days LOCKOUT: After 4-5 unsuccessful logonsCOMPLEXITY: ALPHANUM
- Validate that none of the users have non-expiring passwords without a valid business justification.
- Determine RACF RVARY SWITCH and STATUS passwords have been changed?
- Obtain the list of datasets with the selection criteria as APF along with the UACC.
- Review the list to validate that none of the APF assigned datasets have UACC=ALTER/UPDATE.
- All APF Datasets should have UACC=READ or NONE.
- Obtain the SETROPTS report from the system administrator.
- Look under the SETROPTS LIST category to validate that JES-ATTRIBUTES configuration is set to SAUDIT, CMDVIOL and OPERAUDIT. SAUDIT: Specifies whether RACF commands issued using SPECIAL authority are logged CMDVIOL: Specifies whether RACF command violations are logged. OPERAUDIT: Specifies whether RACF commands issued & resources accessedusing OPERATIONS authority are logged
- Obtain the DSMON Program Properties Table report
- Validate that none of the program entries are defined to bypass the password protection by looking at the NOPASS option.
- Determine if SMF files are adequately RACF protected.
- Identify the active SMF parameter definitions.
- Identify the SYS1.MANx files defined by DSNAME() parameter and validate that nonoe has ALTER\UPDATE access by reviewing the dataset ACL.
- Validate that the following SMF record types are being collected by looking at REC, MAN and DSV parameters. RECORD TYPES 0 , 90 System IPL 7 SMF lost data 5,35 Job record 4,34 Program record 80,81 RACF 60-69 VSAM information 30 Combined record (replacing types (4,5,34,35) 14,15,17,18 Dataset information
- Validate that JOB WAIT TIME (JWT) parameter is configured to an appropriate time.
- Review the list of installation defined Supervisory Calls (SVC's).
- Determine that none of the SVC's is defined as APF=NO
- If any of the SVC's are defined as APF=NO, confirm that TESTAUTH macro is used to control the use of the SVC(s), by reviewing the source code of the SVC.
