Record Type 80: RACF Processing Record

RACF® writes record type 80 for the following detected events:

  • Unauthorized attempts to enter the system. For example, during RACF processing of a RACINIT request macro instruction, RACF found that a RACF-defined user either (1) has supplied an invalid password, password phrase, or group name, (2) is not authorized access to the terminal, or (3) had insufficient security label authority.

    RACF always writes this violation record when it detects the unauthorized attempt; this violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

    Note: The audit record contains a log string indicating what z/VM® event was issued.
  • Authorized attempts to enter the system. RACF provides a RACINIT request option to log successful signons and signoffs as well as ENVIR=CREATE or ENVIR=DELETE signons and signoffs. For the LOG keyword on the RACROUTE and RACINIT request macros, LOG=ALL or LOG=ASIS may be specified to control the generation of log records for RACINIT request. The value of the LOG keyword is passed to both the RACINIT request preprocessing and postprocessing installation exits. Both exits are invoked prior to the generation of a log record, and the LOG keyword value can be changed for both exits.
    Note: The audit record contains a log string indicating what z/VM event was issued.
  • Authorized accesses or unauthorized attempts to access RACF-protected resources. During RACF processing of a RACHECK or RACDEF request macro instruction, RACF found that one of the following events occurred:
    1. The user was permitted access to a RACF-protected resource and allowed to perform the requested operation.
    2. The user did not have sufficient access or group authority to access a RACF-protected resource, or supplied invalid data while attempting to perform an operation on a RACF-protected resource.

    In the first case, RACF writes the record if the ALL or SUCCESS logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, RDEFINE, ADDFILE, ADDDIR, ALTFILE, or ALTDIR command and the access type is within the scope of the valid access types. RACF also writes the record if logging has been unconditionally requested by a RACHECK request postprocessing exit routine.

    In the second case, RACF writes the violation record if the ALL or FAILURES logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, RDEFINE, ADDFILE, ADDDIR, ALTFILE, or ALTDIR command, or if logging is unconditionally requested by a RACHECK request postprocessing exit routine. The violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

    Note that the FAILURES (READ) option is the default in cases where new resources are RACF-protected.

    For the preceding events, a RACHECK request exit routine can modify the logging options by changing the LOG parameter on a RACHECK request macro instruction from ASIS to NOFAIL, NONE, or NOSTAT, or by unconditionally requesting or suppressing logging with the logging control field. (For information on the LOG parameter of a RACHECK request macro instruction, see z/VM: Security Server RACROUTE Macro Reference. For information on the logging options of the ADDSD, ALTDSD, ALTUSER, RALTER, RDEFINE, ADDFILE, ADDDIR, ALTFILE, ALTDIR, and SETROPTS commands, see z/VM: RACF Security Server Command Language Reference.

  • Authorized or unauthorized attempts to modify profiles on a RACF database. During RACF command processing, RACF found that a user with the AUDITOR attribute specified that the following be logged:
    1. All detected changes to a RACF database by RACF commands and the RACDEF request
    2. All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, LDIRECT, LFILE, SRDIR, SRFILE and SEARCH) issued by users with the SPECIAL attribute
    3. All violations detected by RACF commands (except LISTGRP, LISTUSER, RLIST, and SEARCH)
    4. All RACHECK and RACDEF requests issued for the user and all RACF commands (except LISTGRP, LISTUSER, RLIST and SEARCH) issued by the user

    In the first three cases, RACF writes records if a user with the AUDITOR attribute specified AUDIT, SAUDIT, and CMDVIOL, respectively, on the SETROPTS command. In the fourth case, RACF writes the records if a user with the AUDITOR attribute specified UAUDIT on the ALTUSER command.

  • Authorized or unauthorized attempts to issue z/VM events. z/VM events include CP commands, diagnose codes, certain events related to communication among virtual machines, and certain spool file activities. This auditing is enabled by a VMXEVENT profile. For more information, see Record Type 80: RACF for z/VM Processing Record for VMXEVENT on z/VM and z/VM: RACF Security Server Auditor's Guide (check under “auditing events”).
You can use SMF records to:
  • Track the total use of a sensitive resource (if the ALL option is set)
  • Identify the resources that are repeated targets of detected unauthorized attempts to access them (if the ALL or FAILURES option is set)
  • Identify the users who make detected unauthorized requests
  • Track SPECIAL user activity
  • Track activity of a particular user

In most cases, RACF writes one record for each event. (RACF can write two records for one operation on a resource — for example, when a RACF-protected DASD data set is deleted with scratch.)

SMF record 80 contains the following information:
  • The record type
  • Time stamp (time and date)
  • Processor identification
  • Event code and qualifier (explained in Table 1)
  • User identification
  • Group name
  • A count of the relocate sections
  • Authorities used to successfully execute commands or access resources
  • Reasons for logging
  • Command processing error flag
  • Foreground user terminal ID
  • Foreground user terminal level number
  • RACF version, release and modification number
  • SECLABEL of user
  • The alternate user ID (if any)
(The data in a relocate section is explained in Table of Relocate Section Variable Data and Table of Data Type 6 Command-Related Data and Table of Relocate Section Variable Data for VMXEVENT Class.)

The log record RACF creates is a standard type 80 SMF record.

The format of record type 80 is:

Offsets Name Length Format Description
0 0 SMF80LEN 2 binary Record length.
2 2 SMF80SEG 2 binary Segment descriptor.
4 4 SMF80FLG 1 binary System indicator:
0x00
z/VM
All other values indicate z/OS. Use SMF80VRM to determine z/VM release.
5 5 SMF80RTY 1 binary Record type: 80 (X'50').
6 6 SMF80TME 4 binary Time of day, in hundredths of a second, that the record was moved to the SMF buffer.
10 A SMF80DTE 4 packed Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign).
14 E SMF80SID 4 EBCDIC System identification (from the SMF CONTROL file).
18 12 SMF80DES 2 binary Descriptor flags
Bit
Meaning When Set
0
The event is a violation
1
User is not defined to RACF
2
Record contains a version indicator (see SMF80VER)
3
The event is a warning
4
Record contains a version, release, and modification level number (see SMF80VRM)
5-15
Reserved.
20 14 SMF80EVT 1 binary Event code.
21 15 SMF80EVQ 1 binary Event code qualifier.
22 16 SMF80USR 8 EBCDIC Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
30 1E SMF80GRP 8 EBCDIC Group to which the user was connected (stepname is used if the user is not defined to RACF).
38 26 SMF80REL 2 binary Offset to the first relocate section from beginning of the record header.
40 28 SMF80CNT 2 binary Count of the number of relocate sections.
42 2A SMF80ATH 1 binary Authorities used for processing commands or accessing resources. (See Note 1 )
Bit
Meaning When Set
0
Normal authority check (resource access)
1
SPECIAL attribute (command processing)
2
OPERATIONS attribute (resource access, command processing)
3
AUDITOR or ROAUDIT attribute (command processing)
4
Installation exit processing (resource access)
5
Failsoft processing (resource access)
6
Bypassed-user ID = *BYPASS* (resource access)
7
Trusted attribute (resource access).
43 2B SMF80REA 1 binary Reason for logging. These flags indicate the reason RACF produced the SMF record. (See Note 2)
Bit
Meaning When Set
0
SETROPTS AUDIT(class)—changes to this class of profile are being audited.
1
User being audited
2
SPECIAL users being audited
3
Access to the resource is being audited due to the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing.
4
RACINIT failure
5
This command is always audited
6
Violation detected in command and CMDVIOL is in effect, or a z/VM event violation is detected
7
Access to entity being audited due to GLOBALAUDIT option.
44 2C SMF80TLV 1 binary Terminal level number of foreground user (zero if not available).
45 2D SMF80ERR 1 binary Command processing error flag. (See Note 3 )
Bit
Meaning When Set
0
Command had error and RACF could not back out some changes
1
No profile updates were made because of error in RACF processing
2-7
Reserved.
46 2E SMF80TRM 8 EBCDIC Terminal ID of foreground user (zero if not available).
54 36 SMF80JBN 8 EBCDIC Job name. For RACINIT records for batch jobs, this field can be zero.
62 3E SMF80RST 4 binary Time, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACINIT records for batch jobs, this field can be zero.
66 42 SMF80RSD 4 packed Date the reader recognized the JOB statement for this job, in the form 0cyydddF (where F is the sign). For RACINIT records for batch jobs, this field can be zero.
70 46 SMF80UID 8 EBCDIC User identification field from the SMF common exit parameter area. For RACINIT records for batch jobs, this field can be zero. For VMXEVENT audit records, if an alternate user ID is used, the ID is located here.
78 4E SMF80VER 1 binary Version indicator:
8
RACF/VM 5.4.0 or later. SMF80VRM provides more detail.
79 4F SMF80RE2 1 binary Additional reasons for logging
Bit
Meaning When Set
0
Security level control for auditing
1
VMEVENT Auditing
2
Class being audited due to SETROPTS LOGOPTIONS
3
Entity audited due to SETROPTS SECLABELAUDIT
4
Entity audited due to SETROPTS COMPATMODE
5
Audited due to SETROPTS COMPATMODE
6
Reserved.
7
Audited because user does not have appropriate authority for OpenExtensions z/VM.
80 50 SMF80VRM 4 EBCDIC RACF version, release, and modification level.
  • 5040 RACF for z/VM Version 5 Release 4
  • 6020 RACF for z/VM Version 6 Release 2
  • 6030 RACF for z/VM Version 6 Release 3
  • 6040 RACF for z/VM Version 6 Release 4
84 54 SMF80SEC 8 EBCDIC Security label of the user.
92 5C SMF80RL2 2 Binary Offset to extended-length relocate sections.
94 5E SMF80CT2 2 Binary Count of extended-length relocate sections.
96 60 SMF80AU2 1 Binary Authority used continued
Bit
Meaning When Set
0
OpenExtensions superuser
1
OpenExtensions system function
2-7
Reserved.
97 61 SMF80RSV 1 Binary Reserved

Relocate Section:

Offsets Name Length Format Description
0 0 SMF80DTP 1 binary Data type.
1 1 SMF80DLN 1 binary Length of data that follows.
2 2 SMF80DTA 1-255 mixed Data.

Extended-length Relocate Section:

Offsets Name Length Format Description
0 0 SMF80TP2 2 Binary Data type
2 2 SMF80DL2 2 Binary Length of data that follows
4 4 SMF80DA2 variable EBCDIC Data
Note:
  1. SMF80ATH: These flags indicate the authority checks made for the user who requested the action. The RACF commands use bits 0, 1, and 3; the RACF requests use bits 0, 2, and 4-7.
    • Bit 0 indicates that the user's authority to issue the command or SVC was determined by the checks for a user with the SPECIAL, OPERATIONS, AUDITOR, or ROAUDIT attribute. This bit indicates that the tests were made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute.
    • Bit 1 indicates that the user has the SPECIAL attribute and used this authority to issue the command. If the user also has the AUDITOR or ROAUDIT attribute and entered the command with only those operands that require the AUDITOR or ROAUDIT attribute, this bit is not set on because the user did not use his authority as a user with the SPECIAL attribute.
    • Bit 2 is set by the RACHECK and RACDEF requests and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource.
    • Bit 3 indicates that the user has the AUDITOR or ROAUDIT attribute or group-AUDITOR and used this authority to issue the command with operands that require the AUDITOR or ROAUDIT attribute or group-AUDITOR authority.
    • Bit 4 indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks.
    • Bit 5 indicates that resource access was granted by the operator during failsoft processing.
    • Bit 6 indicates that *BYPASS* was specified on the user ID field. Access was granted because RACF authority checking was bypassed. This bit could also indicate that a violation is detected on a z/VM event.
    • Bit 7 indicates that the user has the trusted attribute.
  2. SMF80REA: These flags indicate the reason RACF produced the SMF record.
    • Bit 0 is set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command.
    • Bit 1 is set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACHECK or RACDEF request has been issued for the user.
    • Bit 2 is set when a user with the AUDITOR attribute specifies the SAUDIT operand on the SETROPTS command and a user with the SPECIAL attribute has changed RACF profiles with a RACF command. However, if a user has both the SPECIAL and AUDITOR attributes and issues a command with operands that require only the AUDITOR attribute, RACF does not log this activity because SPECIAL authority was not used.
    • Bit 3 is set if:
      • The AUDIT option in the resource profile specifies that attempts to access the resource be logged.
      • The RACHECK request exit routine specifies unconditional logging.
      • The console operator grants the resource access during failsoft processing.
    • Bit 4 is set when the RACINIT request fails to verify a user because of an invalid group, password, terminal, or OIDCARD.
    • Bit 5 is set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produce an SMF record.)
    • Bit 6 is set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation.
    • Bit 7 is set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile.
  3. SMF80ERR: These flags indicate errors during command processing and the extent of the processing.
    • Bit 0 indicates that an error occurred that prevented the command from completing all updates requested, and the command was unable to back out the updates already done. If this bit is on, there may be an inconsistency between the profiles on the RACF database, or between the profile for a data set and the RACF-indicator for the data set in the DSCB or catalog. The latter is also indicated by a bit in the command-related information for the ADDSD, ALTDSD, and DELDSD commands. For some commands (for example, ADDUSER), the inconsistency means an incompletely defined resource. For other commands, where the profiles are already defined (for example, ALTUSER), the inconsistency means that all changes were not made, but the profiles are still usable.

      This bit indicates a terminating error and should not be confused with a keyword violation or processing error where the command continues processing other operands.

    • Bit 1 indicates that none of the requested changes were made, because either (1) a terminating error occurred before the changes were made, or (2) the command was able to back out the changes after a terminating error.