You'll need to create a Unix authentication record and choose Target Type "IBM z/OS Security Server RACF (Policy Compliance)" on the Login Credentials tab.
Qualys scans require that the zaou package is installed on the z/OS target system(s). In addition, Qualys will leverage ssh to connect to z/OS and use the operating system shell.
For Qualys to perform authenticated scans of z/OS, the account used for scanning needs to have the following privileges and attributes:
- ROAUDIT is the minimum privilege
- A shell assigned to the account (e.g., /bin/sh)
- TSO available to the account
1) Create a scan user account named qualys_scan on the system you want to scan by using tsocmd:
tsocmd "adduser qualys_scan Password(******)"
where ****** is the user's password text
2) Assign the ROAUDIT attribute to the user account by using tsocmd:
tsocmd altuser qualys_scan ROAUDIT
Note that the ROAUDIT attribute can only be assigned by a user who has the SPECIAL attribute. A user with the SPECIAL attribute can execute any RACF command.
Using an ssh tool, ssh as the qualys_scan account to the target and run the following command:
tsocmd "SETROPTS LIST"
If you receive output, the account is setup properly. If you receive an error or no output, the account is not setup properly or tso command tools are not loaded on the target.