We have explored the RACF security package in z/OS and developed a utility to interact with its database. Now, we are assessing RACF configuration security for penetration testing.

Securelist is a cybersecurity blog and research platform operated by Kaspersky Lab. It offers insights, analysis, and reports on cybersecurity threats, vulnerabilities, and malware campaigns. Developers can learn about emerging cyber threats, security best practices, and mitigation strategies to protect their applications and systems. Additionally, Securelist provides insights into cybersecurity trends, threat intelligence, and industry developments, offering resources for cybersecurity professionals.

Securelist

Researchers developed racfudit, a Golang utility for analyzing IBM z/OS mainframe RACF security databases offline. The tool extracts user profiles, password hashes, and access permissions to identify privilege escalation paths and security misconfigurations. The analysis covers RACF's internal architecture, database structure, profile relationships, and password hashing algorithms (DES and KDFAES), providing penetration testers with methods to assess mainframe security vulnerabilities.

Deconstructing RACF in z/OS and uncovering security issues