Privilege level for IBM z/OS Security Server RACF

What authentication record do I use for z/OS targets?

You'll need to create a Unix authentication record and choose Target Type "IBM z/OS Security Server RACF (Policy Compliance)" on the Login Credentials tab. 

What tools are needed to perform authenticated compliance scans for z/OS?  

Qualys scans require that the zoau package is installed on the z/OS target system(s). In addition, Qualys will leverage ssh to connect to z/OS and use the operating system shell.  

What privileges are needed for authenticated compliance scans for z/OS?

For Qualys to perform authenticated scans of z/OS, the account used for scanning needs to have the following privileges and attributes: 

- ROAUDIT is the minimum privilege

- A shell assigned to the account (e.g., /bin/sh)

- TSO available to the account

Create a scan user account on the system to scan

1) Create a scan user account named qualys_scan on the system you want to scan by using tsocmd:

tsocmd "adduser qualys_scan Password(******)"  

where ****** is the user's password text

2) Assign the ROAUDIT attribute to the user account by using tsocmd: 

tsocmd altuser qualys_scan ROAUDIT

Note that the ROAUDIT attribute can only be assigned by a user who has the SPECIAL attribute. A user with the SPECIAL attribute can execute any RACF command. 

How can I test user privileges?

Using an ssh tool, ssh as the qualys_scan account to the target and run the following command: 


If you receive output, the account is setup properly. If you receive an error or no output, the account is not setup properly or tso command tools are not loaded on the target.