Mainframe IT Auditing With Ten DSMON Reports

In our experience performing IT audits on IBM mainframes, we wanted to share our experience using the RACF DSMON (Data Security Monitor) program. This program can be used to run a set of useful reports on the mainframe system and security environment.

Note that DSMON is relevant only for mainframes on which RACF – Resource Access Control Facility is installed as part of the IBM Security Server suite.

DSMON reports are produced using a pre-packaged ‘job.’ To run DSMON reports, the operator must generally have the ‘auditor’ attribute.

Ten DSMON reports are listed below with a brief description, the report’s content and relevant information to an IT auditor.

1. SYSTEM. This report contains basic system, hardware (CPU) and RACF information. Auditors can use this to verify that versions are current for the operating system and RACF.

2. RACGRP Group Tree Report. This report displays the hierarchy of groups with the ownership chain. Auditors can use this report to observe the naming convention used in group names.

3. SYSPPT Program Properties Table (PPT) displays programs that execute with special privileges such as bypass password protection. This report can be used to validate each program in the table.

4. RACAUT RACF Authorized Caller Table. This table shows non-authorized programs that can invoke privileged RACF functions. Auditors generally want to see this table empty with rare exceptions.

5. RACCDT RACF Class Descriptor Table. This table shows the status of RACF general resource classes – active or inactive. Auditors can use this report to confirm that ‘auditing’ is enabled and the setting of the default universal access authority (UACC).

6. RACEXT RACF Exits. List of exits or subroutines. Auditors should inspect this report for any extra or unauthorized exits.

7. RACGAC RACF Global Access Table Report. For each RACF general resource class, the global access entities are in effect.

8. RACSPT RACF Started Procedures Table. Shows user and group IDs associated with started tasks and the privileged or trusted status. Entries are common for subsystem startup and recovery. Auditors should be aware of the ‘privileged’ or ‘trusted’ attributes displayed here.

9. RACUSR RACF User Attibute Report. This report displays users with the ‘special’, ‘operations’ and ‘auditor’ attributes. Auditors should pay special attention to this report as these attributes grant powerful authority in the mainframe environment.

10. SYSSDS Selected Datasets Report. There are a series of dataset reports on sensitive datasets including master and user catalogs, linklist and APF (authorized program facility) libraries. Each selected dataset is displayed with the serial number of the volume on which the dataset resides, the selection criterion, whether the dataset is RACF-indicated or RACF-protected and the universal access authority (UACC) for the data set.

The bottom line is that DSMON reports are very useful to an IT auditor reviewing an IBM mainframe system. These reports are extremely useful in getting a wide range of information that is releveant to an IT audit.

Reference: IBM z/OS Security Server RACF Auditor’s Guide.