Auditing for z/OS UNIX System Services

RACF® writes audit records for the z/OS UNIX System Services auditable events in SMF type 80 records. The following classes are defined to control auditing:

DIRSRCH
DIRACC
FSOBJ
FSSEC
IPCOBJ
PROCESS
PROCACT

The classes are in the class descriptor table (ICHRRCDX). No profiles can be defined in these classes. They are for audit purposes only. These classes do not need to be active to be used to control z/OS UNIX System Services auditing. Activating the classes has no effect on auditing or authorization checking, except for the FSSEC class, which enables the use of ACLs in authorization checking.

Audit records are always written for security decisions made during RACF callable services involving resources in these z/OS® UNIX classes when the user has the UAUDIT attribute, regardless of the LOGOPTIONS and AUDIT settings.

In addition, audit records are always written, and there is no option to turn them off, when one of the following conditions occurs:

A user who is not defined as a z/OS UNIX System Services user tries to dub a process
An unauthorized user tries to mount or unmount a file system

For more details about z/OS UNIX System Services events for which audit records are always written, see z/OS UNIX System Services Planning.

You can use profiles in the UNIXPRIV class to audit certain superuser functions. For more information about this z/OS UNIX System Services class, see Auditing for superuser authority in the UNIXPRIV class.