Full Report
We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing.
Analysis Summary
# Tool/Technique: racfudit
## Overview
`racfudit` is a custom utility developed by the researchers to facilitate offline analysis of the RACF (Resource Access Control Facility) database on IBM z/OS mainframes. Its purpose is to allow penetration testers and security professionals to evaluate the RACF configuration security, check for possible misconfigurations, and analyze the complex relationships between RACF entities (users, resources, data sets) to identify potential privilege escalation paths.
## Technical Details
- Type: Tool
- Platform: IBM z/OS Mainframe (for offline analysis of the RACF database)
- Capabilities: Offline analysis of the RACF database structure, evaluation of security configuration, identification of privilege escalation paths.
- First Seen: Developed for the research detailed in the article (Second part of research following a previous article).
## MITRE ATT&CK Mapping
Since `racfudit` is an analysis/auditing tool used post-initial access or during testing, its primary mapping relates to discovery and defense evasion if used by an adversary, or defensive actions if used by blue teams.
- TA0005 - Defense Evasion (If utilized by an attacker to understand security controls without triggering monitoring)
- T1046 - Network Service Scanning (By analyzing the database, an attacker learns which services/resources are accessible)
- TA0007 - Discovery
- T1087 - Account Discovery
- T1069 - Permission Groups Discovery
## Functionality
### Core Capabilities
- Offline extraction and analysis of the RACF database.
- Evaluation of RACF configuration security settings.
- Identification of relationships between RACF entities (Users, Groups, Data Sets, Resources).
### Advanced Features
- Used to examine the structure of RACF profiles, including User, Group, Data Set, and Resource profiles.
- Enables systemic checks against potential security misconfigurations related to privilege management within z/OS.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: racfudit
- Registry Keys: [Not applicable to mainframe utility context]
- Network Indicators: N/A (Designed for offline database analysis)
- Behavioral Indicators: Execution associated with offline RACF database parsing.
## Associated Threat Actors
- Not associated with malicious actors; developed by researchers for authorized penetration testing and security analysis.
## Detection Methods
- Detection focuses on the presence of unauthorized offline access or manipulation of the RACF database backup files.
- Monitoring for system utility runs focused on extensive database indexing or exporting.
## Mitigation Strategies
- Strict access control and monitoring over physical or logical copies of the RACF database/security configuration files.
- Ensuring only authorized personnel or tools have access to the data required for offline analysis.
- Implementing recommendations discussed in the paper, such as transitioning to KDFAES/password phrases and controlling UACC values.
## Related Tools/Techniques
- Utilities/techniques related to analyzing ACF2 or Top Secret configurations (the other common z/OS security packages).
- General vulnerability scanning techniques applied to mainframe security configurations.