Overview of the zFS audit identifier

An auditid is a 16-byte value that is associated with each z/OS® UNIX file or directory. The auditid identifies a z/OS UNIX file or directory in an SMF audit record or in certain authorization failure messages (for example, RACF® message ICH408I). An auditid appears in Type 80 SMF records and in the output of certain z/OS UNIX APIs (for example, stat). zFS allows the administrator to specify whether zFS uses a more unique auditid for a zFS file or directory, or uses the non-unique, standard auditid.

Tip: The auditid tool can display a file path name if you know the auditid. The tool works only for a unique auditid; it does not work for a standard auditid. It is not supported and is available on the z/OS UNIX System Services Tools and Toys web page.

Figure 1 shows the format of the unique zFS auditid, the standard zFS auditid, and the HFS auditid.

Figure 1. zFS auditid examples

Together, the i-node and unique identifier identify the file or directory within a file system. The remainder of the auditid identifies the file system. The i-node is a slot number that identifies an existing file or directory, but it is reused when a file or directory is deleted. When that same i-node slot is used for a different file or directory, the uniquifier is incremented so that the combination of the i-node and uniquifier is unique. When the uniquifier is two bytes, they are the low order bytes (the bytes that change most often) of the four-byte uniquifier. In the unique zFS auditid, the file system part of the auditid is known as the auditfid. The VOLSER is the volume serial of the volume that contains the first extent of the zFS aggregate data set. The CCHH is the CCHH of the first extent of the zFS aggregate data set.

The auditfid in the zFS aggregate controls the type of auditid zFS uses: unique auditid or less unique auditid (auditfid of binary zeros). Typically, a zFS aggregate contains a zero auditfid, but you can take steps to store a unique zFS auditfid, which subsequently causes zFS to generate a unique format auditid for each file or directory in the aggregate.

There are three ways to control the zFS auditfid that is stored in the aggregate, which thereby controls the format of the zFS auditid for files and directories that are contained in the aggregate:

When formatting an aggregate, you get a unique auditfid by default (that is, if you do not specify -nonewauditfid). This is true for the IOEAGFMT batch utility and the zfsadm format command. If you specify -nonewauditfid, the aggregate has the standard auditfid (binary zeros). The IOEFSUTL format always provides a unique auditfid.
You can optionally specify a zFS configuration option (convert_auditfid=on) in the IOEFSPRM file to control whether the aggregate's auditfid is converted from a standard format auditfid to a unique auditfid when a zFS file system is mounted. If you specify on, zFS converts the standard auditfid to the unique auditfid on the read/write mount (attach) of the aggregate. You can also specify the convert_auditfid configuration option using the zfsadm config -convert_auditfid option and query using the zfsadm configquery -convert_auditfid option. The default for convert_auditfid is ON.
You can explicitly set an aggregate's auditfid to a unique auditfid using the zfsadm setauditfid command.