IBM MFA SMF Record type 83 subtype 7 records

This section describes the IBM® MFA system management facilities (SMF) Record type 83 subtype 7 records.

As described in RACF Audit Record For Data Sets, Record type 83 is a RACF processing record. For complete information about Record type 83 records, see Record type 83: Security events.

Record type 83 subtype 7 security section

Table 1. Record type 83 subtype 7 security section
Offsets
Dec.	Hex.	Name	Length	Format	Description
0	0	SMF83LNK	4	Binary	Value used to link several SMF 83 records to a single event.
4	4	SMF83DES	2	Binary	Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Reserved 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM) 5 The caller of the R_auditx service indicated always log 6-15 Reserved
6	6	SMF83EVT	1	Binary	Event code. Possible values are as follows: 01 in-band 02 out-of-band 03 get CTC
7	7	SMF83EVQ	1	Binary	Event code qualifier. Possible values are as follows: 00 Success 01 Out-of-band token issued 08 invalid credential 09 could not evaluate 10 expired credential 11 new credential not valid 12 re-authenticate 13 bypassed (In band only)
8	8	SMF83USR	8	EBCDIC	Identifier of the user associated with this event (job name is used if the user is not defined to RACF).
16	10	SMF83GRP	8	EBCDIC	Group to which the user was connected (step name is used if the user is not defined to RACF).
24	18	SMF83REL	2	Binary	Reserved
26	1A	SMF83CNT	2	Binary	Reserved
28	1C	SMF83ATH	1	Binary	Authorities used for processing commands or accessing resources Bit Meaning when set 0-7 Reserved
29	1D	SMF83REA	1	Binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACROUTE REQUEST=AUTH exit routine, or because the operator granted access during failsoft processing. 4 RACROUTE REQUEST=VERIFY or initACEE failure. Bit Meaning when set 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
30	1E	SMF83TLV	1	Binary	Terminal level number of foreground user (zero if not available).
31	1F	SMF83ERR	1	Binary	Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved
32	20	SMF83TRM	8	EBCDIC	Terminal ID of foreground user (zero if not available).
40	28	SMF83JBN	8	EBCDIC	Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
48	30	SMF83RST	4	Binary	Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
52	34	SMF83RSD	4	Packed	Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
56	38	SMF83UID	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
64	40	SMF83VER	1	Binary	Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
65	41	SMF83RE2	1	Binary	Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Class being audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4 Audited because of SETROPTS APPLAUDIT 5 Audited because user not defined to z/OS UNIX 6 Audited because user does not have appropriate authority for z/OS UNIX 7 Reserved
66	42	SMF83VRM	4	EBCDIC	FMID for RACF
70	46	SMF83SEC	8	EBCDIC	Security Label of the User.
78	4E	SMF83AU2	1	Binary	Authority used continued Bit Meaning when set 0 z/OS UNIX superuser 1 z/OS UNIX system function 2-7 Reserved
79	4F	SMF83RSV	4	Binary	Reserved
80	50	SMF83US2	8	EBCDIC	Identifier of the address space user associated with this event.
88	58	SMF83GR2	8	EBCDIC	Group to which the address space user was connected.

Table 2. Table 2. RACF SMF record relocate section format
Offsets
Dec.	Hex.	Name	Length	Format	Description
0	0	SMF83TP2	2	Binary	Data type. See Table 3.
2	2	SMF83DL2	2	Binary	Length of data that follows.
4	4	SMF83DA2	variable	EBCDIC	Data

Table 3. Table 3. RACF SMF type 83 subtype 2 and above relocates
Data type (SMF83TP2)		Max data length (SMF83DL2)		Format	Audited by event code	Description
Dec.	Hex.	Dec.	Hex.	Format	Audited by event code	Description
1	1	255	FF	EBCDIC	All subtype 2 and above	Subject's distinguished name from the current ACEE
2	2	255	FF	EBCDIC	All subtype 2 and above	Issuers distinguished name from current ACEE
3	3	246	F6	EBCDIC	All subtype 2 and above	Resource name
4	4	8	8	EBCDIC	All subtype 2 and above	Class name
5	5	246	F6	EBCDIC	All subtype 2 and above	Profile name
6	6	7	7	EBCDIC	All subtype 2 and above	FMID of the product requesting event logging
7	7	255	FF	EBCDIC	All subtype 2 and above	Name of the product requesting event logging
8	8	255	FF	EBCDIC	All subtype 2 and above	Log string
9	9	8	8	Binary	All subtype 2 and above	Link value
10	A	510	1FE	EBCDIC	All subtype 2 and above	Authenticated user name
11	B	255	FF	EBCDIC	All subtype 2 and above	Authenticated user registry name
12	C	128	80	EBCDIC	All subtype 2 and above	Authenticated user host name
13	D	16	10	EBCDIC	All subtype 2 and above	Authenticated user authentication mechanism object identifier (OID)
14	E	246	F6	UTF-8	All, except 68, 71, 79, 81, 82, and 85	Authenticated distributed identity user name
15	F	255	FF	UTF-8	All, except 68, 71, 79, 81, 82, and 85	Authenticated distributed identity user registry
100	64	8	8	EBCDIC	Subtype 7	User ID
101	65	20	14	EBCDIC	Subtype 7	Factor name
102	66	255	FF	EBCDIC	Subtype 7	Policy name
103	67	16	10	EBCDIC	Subtype 7	IDT JWT claim
104	68	8	8	EBCDIC	Subtype 7	Address space userid
105	69	8	8	EBCDIC	Subtype 7	Application name
106	6A	8	8	EBCDIC	Subtype 7	Security manager derived application name
107	6B	3	3	EBCDIC	Subtype 7	Session type (see ICHRUTKN for values)

Audit records for successful IBM MFA authentications

The creation of audit records for unsuccessful IBM MFA authentications cannot be controlled and will unconditionally occur. However, you can selectively control the creation of audit records for successful IBM MFA authentications by defining the following class MFADEF AUDIT profiles, as appropriate, with AUDIT(SUCCESSES) specified for the profile:

Table 4. MFADEF AUDIT profiles
Profile	Description
AUDIT.RACROUTE.`<userid>`	RACROUTE authentication using a password or passphrase.
AUDIT.WEB.`<userid>`	IBM MFA web server authentication.
AUDIT.IDT.`<userid>`	RACROUTE authentication using an identity token.
AUDIT.GETCTC.`<userid>`	Callable service R_factor function GetCTC authentication

You can define a generic resource, such as AUDIT.RACROUTE.* or AUDIT.WEB.A*, to enable audit record creation for successful IBM MFA authentications. If multiple AUDIT profiles exist that are a match for the request resource name, then standard RACF rules determine which profile is used.

To stop audit record creation for successful authentications, delete or alter the MFADEF AUDIT profile with AUDIT(FAILURES) specified. After any addition, modification, or deletion of the MFADEF AUDIT profiles, perform an IPL or issue a SETROPTS RACLIST(MFADEF) REFRESH command to make the change effective.