Quick start¶
This page walks you through your first MFAudit run — from collecting data on the mainframe to opening the finished report.
Step 1 — Collect data on z/OS¶
You need two files from the mainframe:
| File | What it contains |
|---|---|
IRRDBU00 |
Full RACF database unload (users, groups, profiles, access lists) |
SETROPTS |
RACF global option export (password rules, active classes, flags) |
IRRDBU00 unload¶
Submit the IRRDBU00 batch utility.
Minimal JCL example:
//RACFUNLD JOB CLASS=A,MSGCLASS=X
//STEP1 EXEC PGM=IRRDBU00,PARM='NOLOCKINPUT'
//SYSPRINT DD SYSOUT=*
//INDD1 DD DSN=SYS1.RACF,DISP=SHR
//OUTDD1 DD DSN=&&UNLOAD,DISP=(NEW,PASS),
// UNIT=SYSDA,SPACE=(CYL,(50,10))
//SYSIN DD DUMMY
Copy the output dataset to your workstation as a binary file.
SETROPTS REXX export¶
MFAudit requires a REXX-produced SETROPTS export — not raw SETROPTS LIST console output.
See the mfpandas SETROPTS documentation:
https://mfpandas.readthedocs.io/en/latest/setropts.html
The exec writes one KEY:VALUE line per setting.
Copy SETROPTS to your workstation as a text file.
Step 2 — Install MFAudit¶
Install the package:
pip install mfaudit
WeasyPrint is installed automatically and used for PDF generation.
See the installation guide for required native libraries on Linux/macOS/Windows.
The bundled CIS controls library is included in the package — no extra steps needed.
Step 3 — Run the audit¶
Place IRRDBU00 and SETROPTS in the project root directory, or pass explicit paths.
Minimal run¶
Outputs are written to the current directory. Bundled CIS controls are used automatically.
mfaudit
Default outputs:
report.pdfcontrols_results.csv
JSON output¶
mfaudit --format JSON
Output:
controls_results.json
Multiple output formats¶
mfaudit --format CSV,JSON,PDF
Outputs:
report.pdfcontrols_results.csvcontrols_results.json
Full example¶
mfaudit --irrdbu00 /data/IRRDBU00 \
--setropts /data/SETROPTS \
--system-name SYSA \
--report-date 2026-05-17 \
--format CSV,JSON,PDF \
--out out/
Anonymized output¶
Replace RACF user IDs, groups, and profile names with stable labels before writing output:
mfaudit --format CSV,JSON,PDF \
--anonymize \
--out out/
Example anonymized identifiers:
USR-0001GRP-0007PRF-0042
Useful when sharing reports externally.
Step 4 — Open the report¶
macOS¶
open out/report.pdf
Linux¶
xdg-open out/report.pdf
Windows¶
start out\report.pdf
CSV results:
out/controls_results.csv
JSON results:
out/controls_results.json
What you see on the console¶
[i] No --controls specified; using bundled controls from .../mfaudit/controls
[+] Loaded 46 control(s) from .../mfaudit/controls/controls.yaml
[+] Total: 46 control(s)
[+] Loading SETROPTS from SETROPTS
[+] Loading IRRDBU00 from IRRDBU00 (threaded parse) ...
[CIS-1.1.1] Ensure PASSWORD(INTERVAL) is set to no longer than 90 days ... ✓ PASS
[CIS-1.1.2] Ensure PASSWORD(HISTORY) is set to at least 4 ............... ✓ PASS
[CIS-1.2.5] Ensure started tasks defined with TRUSTED attribute ......... ? REVIEW
────────────────────────────────────────────────────────────
Results: 40 PASS | 3 FAIL | 1 REVIEW | 2 SKIP
Score: 40/44 = 90%
────────────────────────────────────────────────────────────
[+] PDF report written to out/report.pdf
[+] CSV results written to out/controls_results.csv
[+] JSON results written to out/controls_results.json
Done.
Controls that cannot run because a required data source was not supplied are automatically marked as SKIP.
Skipped controls do not count as failures.