Mainframe REXX Security Concerns in z/OS

Let’s be honest: REXX is a marvel. It is the Swiss Army knife for any system programmer in the z operating system (z/OS) environment—a powerful, versatile, and native language that has saved our lives countless times by automating tedious tasks. But as is often the case with powerful tools, it has a dark side we prefer to ignore. Imagine a hospital for a moment. Doctors need access to X-rays to diagnose patients, right? Now, imagine leaving the radiology rooms unlocked and medical records accessible so that any porter, administrative staff, or curious visitor can take a peek. It would be madness, wouldn't it? Well, that is exactly what is happening in many z/OS LPARs today with REXX.

The Problem: GitHub and the CBT Tape Are a Double-Edged Sword

If you are a CISO or security manager, this concerns you. You don’t need to take an advanced ethical hacking course to find dangerous tools. A quick search on GitHub for "mainframe REXX" reveals an arsenal of ready-to-use scripts. We aren’t just talking about harmless utilities; we are talking about code designed for detailed footprinting. These scripts allow "bad actors"—a disgruntled employee, or a basic user with compromised credentials—to map your system, identify configuration vulnerabilities, list APF libraries, or view catalogs they shouldn't see. This isn't new: the directories of the old, well-known CBT Tape have hosted similar scripts for over 20 years. The difference is that now, they are just one click away for anyone.

The "Free Disposal" Vulnerability

The real risk lies in default permissions. Often, in an LPAR configuration, we assume that if a user doesn't have write access, they aren't dangerous. Big mistake. If any basic programmer can execute a REXX script that scans your data structure, it’s like giving the bank blueprints to a thief before the robbery. With that information, they can prepare to install code that steals data, denies services, or, worse, installs hidden backdoors that go unnoticed for months.

The Regulatory Impact: PCI DSS, DORA, NIS2, and More

This is where technology clashes with legality. It’s no longer just about best practices; it’s now a legal requirement, covering everything from ISO 27001 to Sarbanes-Oxley (SOX).

PCI DSS Compliance: If your environment handles payment card industry data, leaving REXX unchecked can violate PCI DSS Requirement 12, specifically regarding firewall requirements and restricting access to data on a need-to-know basis. A simple script could compromise your compliance with PCI data security standards.
GDPR & Data Privacy: If a REXX script allows access to personal data, you are failing PCI and GDPR principles simultaneously.
NIS2 Directive: The NIS2 Directive (EU) toughens cybersecurity requirements. Allowing uncontrolled internal reconnaissance tools is an invitation to incidents that you will be forced to report.
DORA Regulation 2022: Focused on the Digital Operational Resilience Act 2022 for the financial sector, DORA requires us to manage ICT risks. Leaving REXX open to all users creates a resilience gap.
Banking & Insurance Standards: Whether you are dealing with Basel III or Solvency II data quality, the integrity of your z/OS environment is non-negotiable.

The Solution Is Not to Ban, But to Audit Deeply (DATAPASS)

We cannot eliminate the ability to execute REXX programs and scripts; the system would grind to a halt. However, we can audit who really needs it and "secure" its usage. Traditional annual audits—whether for PCI certification, SOX compliance, or ISO 27001 certification—are static snapshots that expire the next day. Bad actors don't wait for the next audit cycle. We need to increase the frequency and, above all, the depth of the analysis. This is where the need for cyclical audit services, such as DATAPASS, comes in. It is not just a simple check; it is a continuous security improvement system for the mainframe. DATAPASS allows you to identify who is executing what, detect weak configurations that allow this footprinting, and close those gaps before a script downloaded from the internet puts your organization at risk. A modern SIEM or SOC must be able to ingest and correlate these executions. Still, prevention through deep, recurring auditing is the only way to avoid your own tools—such as ethical hacking scripts found online—being used against you. The mainframe remains the most secure server in the world, but only if we configure it that way. Leaving REXX at "free disposal" is a luxury we can no longer afford in the era of ransomware and cyber espionage. It is time to lock the X-ray room and give the keys only to those who truly need them.