zSecure RACF and SMF Auditing

This zSecure class is designed, written and presented by RACF & zSecure specialists. This is a hands-on course, in which attendees will learn how to audit the content of their RACF database and z/OS system, and to measure the results against the security requirements of a selected policy level. Additionally, you will learn how to review the current general SMF & RACF audit settings and interpret the pre-defined SMF audit reports. Attendees will also be shown how to create their own customized SMF reports.
This course is available for one-company presentations live over the Internet, via the Virtual Classroom Environment service.

What you will learn

On successful completion of this course you will be able to:

  • describe the flow of a security call from Resource Managers to RACF
  • perform user and password audit analysis
  • use the Audit functions to report on sensitive users and z/OS resources
  • create Audit reports on key RACF and z/OS system tables
  • review the system-wide Audit settings
  • select and process predefined SMF reports
  • define custom SMF reports.

Who Should Attend

The course is suitable for security administrators and auditors involved in administering, reporting and auditing RACF and z/OS security.


Attendees should have thorough working knowledge of RACF or have attended the RSM course RACF Administration & Auditing and (ideally) the course zSecure Basic Admin & Reporting.


2 days

Fee (per attendee)

£1650 (ex VAT)


This includes free online 24/7 access to course notes.


Hard copy course notes are available on request from rsmshop@rsm.co.uk

at £50.00 plus carriage per set.

Course Code



Introduction to RACF Auditing

RACF review; Main RACF - z/OS components; How does RACF work?; RACF database structure; RACF profiles; Group profiles; User profiles; Dataset profiles; General resource profiles; Resource classes; Class Descriptor Table (CDT); Macro ICHRRCDE or CDT profiles; Adding new dynamic General Resource classes; Static to dynamic CDT migration; The RACF interface; Calling RACF; RACF router table; RACF as a database manager; Separation of functions; zSecure Audit Profiles reports; Audit concerns; Profiles and segments; Audit concerns; Display SETROPTS and CDT; Audit concerns control tables; Audit concern OVERVIEW details; Display the SETROPTS settings; SETROPTS audit concerns; Display RACF dataset names; Display Class Descriptor Table (CDT); Display CDT details; Display the RACF router table; CDT and RACF router table consistency; Exercise 1.1; Select by Owner; Ownership by selected user; Ownership by any user; Displaying FIELD Class; Segments in profiles; Command Authority segments; FIELD class; FIELD class profile layout; FIELD-level access checking; Displaying a FIELD class profile; Exercise 1.2; Review questions; Summary.

Auditing Users & Passwords

Introduction; Auditing the RACF user population; User reports; User last logon overview; Last user logon older than 4 years; Users by password age; User password age 3 to 4 years; Users with initial password; Users and invalid password attempts; Users with non-expiring password; Users with long password intervals; Users with weak passwords; Exercise 2.1; CARLa commands; SYSPRINT; ALU REVOKE; CKR2PASS; CKRCMD; Run ALU REVOKE; Results; Auditing highly authorized users; Users with attributes; Users with any system-wide attribute; Users with any group attribute; Users with UID equal to 0; Trusted users; Reason overview; Reasons detail overview; Reason details; Exercise 2.2; Review questions; Summary.

Auditing Resources

Introduction; Auditing sensitive resources; Reports on profiles; Sensitive profiles; Sensitive data trustees; Sensitive data trustees - details; Trust reason; Trust reason details; Report sensitive profiles; Audit concern details; Exercise 3.1; Auditing create authorisations; Dataset create authority; Create authority for general resources; Report; Detail; Create authority for general resources in CARLa; Exercise 3.2; Auditing programs and started tasks; Programs; Authorised program reports; APF protected programs overview; APF protected program details; PADS programs; PADS overview; Started tasks; Report specifications; Started tasks overview; Started task details; Exercise 3.3; Review questions; Summary.

SMF Auditing

Introduction; SMF audit specifications; Auditing; Who controls the audit settings?; System-wide specified audit settings; Profile-specified audit settings; Profile-level audit settings; Generating event reports; Investigating the system; System-wide audit settings; Resource class audit settings; Profile-level audit settings; SMF reporting; SMF reporting (cont.); User events; User Action pane; User Attribute panel; Date and time panel; Data Set selection panel; HFS selection panel; Resource selection panel; Db2 selection panel; User selection; Object selection; Event selection; SMF events caused by CRMBT users; RACF events - details; Non-RACF events - details; Exercise 4.1; Report RACF/CKGRACF- user commands; Report RACF/CKGRACF- user commands (cont.); View RACF command details; Exercise 4.2; Predefined SMF reports; RACF exceptions report; Report the use of OPERATIONS: USEOPER report; Commands by SPECIAL users: CMDSPEC report; Command violations: CMDFAIL report; Data Set Access Violations: DSETVIOL report; UNIX (USS) violations: UNIXVIOL report; Violations and warnings by users - VWBYUSER report; Exercise 4.3; RACF events; All Events overview; All Events - deleted resources; All Events - new group profiles; All Events - user changes; All Events - failed user changes; NOT NORMAL; NOT NORMAL - details; Commands; Exercise 4.4; SMF custom reports; Specifying fields; Additional options; SMF records; Profile changes; Summary of changes; Summary of commands; Custom events; More custom events; Event options; Display template; SMFDATA; Event details; Exercise 4.5; Review questions; Summary.

Library Analysis

Introduction; Library analysis; How it works; Using library analysis; Purpose of library analysis; Identify differences; The audit - library menu; New CKFREEZE with signatures; CKFREEZE signature options; Library overview; Library changes report; Changes in load libraries; Changes in text libraries; Duplicate member analysis; Running duplicate member analysis; Duplicate members with different names; Duplicate members with identical names; Review questions; Summary.

Question & Answer Session

© RSM Technology 2022