Security requirements for collecting UNIX System Services logs

The Data Collector or the Log Forwarder can gather z/OS® log data from z/OS UNIX log files. The Data Collector or the Log Forwarder uses stat() to check the status of the z/OS UNIX files and determine whether it has the appropriate authority to read logs. You must ensure the user ID that is associated with the Data Collector or the Log Forwarder to have execute permission to the directories in path that lead to the z/OS UNIX log files and also has read permission to the z/OS UNIX files.

Note: The examples in this topic assume that HBOLGF is the user ID that is associated with the Data Collector or the Log Forwarder started task. Change it if a different user ID is used.
Complete one of the following instructions below to grant Data Collector or the Log Forwarder user access to z/OS UNIX log file depending on the UNIX System Services file system security decisions.
  • Option 1: Set the Data Collector or the Log Forwarder started task to run with the RACF® TRUSTED attribute.
    RALTER STARTED <profile-name> STDATA(TRUSTED(YES))                   
SETROPTS RACLIST(STARTED) REFRESH
    <profile-name> is the STARTED class profile name that is defined for the Data Collector or the Log Forwarder started task. You can use the RLIST STARTED command to display the profile name.
  • Option 2: Give user ID HBOLGF superuser authority.
    You can give HBOLGF superuser authority by changing UID to be 0. Use the ALTUSER command to change the UID:
    ALTUSER HBOLGF OMVS(UID(0))
    You can also use the BPX.SUPERUSER resource in the FACILITY class to get the superuser authority.
    PERMIT BPX.SUPERUSER CLASS(FACILITY) ID(HBOLGF) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
  • Option 3: Use chmod
    Permission bits allow specification of read authority, write authority, or search authority for a directory and a file, you can use chmod to change the mode of a file or directory. For more information, see chmod user guide.
    chmod o+r <file>                                      
chmod o+x <directories>                        
umask o+x <directories>
    chmod o+r <file>
    Grant read permission to log files.
    chmod o+x <directories>
    Grant execute permission to the all directories in path that lead to the z/OS UNIX log file.
    umask o+x <directories>
    Change default permission of the sub-directories and files.
  • Option 4: Administer access control lists (ACLs) using z/OS UNIX commands

    ACLs provide a more granular level of access control for files and directories, allowing you to control access by individual UIDs and GIDs. When chmod is not an option to change the permission for all other users and FSSEC class is activated to use ACLs. Use the following instructions.

    To change a directory's access ACL so that HBOLGF has read access, run the following commands:
    setfacl -m user:HBOLGF:+x <logging-directories>  
cd <logging-directories>
setfacl -m user:HBOLGF:+r *                             
setfacl -m default:user:HBOLGF:+x <logging-directories>     
setfacl -m fdefault:user:HBOLGF:+r $(find <logging-directories>         type d)
    <logging-directories>
    <logging-directories> specifies the directories in path that lead to the z/OS UNIX log file.
    setfacl -m user:HBOLGF:+r *
    Modifies ACLs to add read permission.
    setfacl -m default:user:HBOLGF:+x <logging-directories>
    Modifies the default directory ACL entry, so user ID HBOLGF can have the right access to the new logging directories.
    setfacl -m fdefault:user:HBOLGF:+r $(find <logging-directories> type d)
    Modifies the default file ACL entry, so user ID HBOLGF can have the right access to new logging files.
    To display access ACL information for a file or a directory, run the following commands:
    getfacl <file>
getfacl -a -f -d <directory>