APFCHECK

APFCHECK is a utility which concisely answers the most important questions concerning operating system integrity in an z/OS RACF installation:

bulletHow many different users can UPDATE at least one APF library?
bulletWhich userids can access which APF libraries?
bulletWhich libraries are in the APF list at this moment?
bulletAre any APF libraries in WARNING mode?
bulletWhat is the UACC of each APF library?
bulletAre there any APF libraries with no RACF profile?

The first of these questions is the hardest to quickly answer with conventional tools, and yet is one of the most important indicators of the overall state of operating system integrity controls. Try it with RACF commands or panels and judge for yourself.

Auditors will get immediate "findings" using APFCHECK, and RACF administrators will identify mistakes and accesses that might have "fallen through the cracks" by running this utility on a regular basis.

Using this tool in consulting projects, we have found that in many cases it revealed that every user in the RACF database had UPDATE authority to at least one APF library! In one case, this included 35,000 different userids, which was quite a surprise to installation management, who had predicted that 30-100 users might have such access!

APFCHECK execution can be tailored to report on particular ranges of userids based on input parameters that specify name and group membership using masking characters, or it can simply be told to process a certain segment of the database based on record number.

APFCHECK takes into account access based on privileges such as OPERATIONS, Global Access Checking, Warning Mode, ID(*), group memberships and so on. Have a look at the documentation.