IBM MFA SMF Record type 83 subtype 7 records
This section describes the IBM® MFA system management facilities (SMF) Record type 83 subtype 7 records.
As described in RACF Audit Record For Data Sets, Record type 83 is a RACF processing record. For complete information about Record type 83 records, see Record type 83: Security events.
Record type 83 subtype 7 security section
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
0 | 0 | SMF83LNK | 4 | Binary | Value used to link several SMF 83 records to a single event. |
4 | 4 | SMF83DES | 2 | Binary | Descriptor flags
|
6 | 6 | SMF83EVT | 1 | Binary | Event code. Possible values are as follows:
|
7 | 7 | SMF83EVQ | 1 | Binary | Event code qualifier. Possible values are as follows:
|
8 | 8 | SMF83USR | 8 | EBCDIC | Identifier of the user associated with this event (job name is used if the user is not defined to RACF). |
16 | 10 | SMF83GRP | 8 | EBCDIC | Group to which the user was connected (step name is used if the user is not defined to RACF). |
24 | 18 | SMF83REL | 2 | Binary | Reserved |
26 | 1A | SMF83CNT | 2 | Binary | Reserved |
28 | 1C | SMF83ATH | 1 | Binary | Authorities used for processing commands or accessing resources
|
29 | 1D | SMF83REA | 1 | Binary | Reason for logging. These flags indicate the reason RACF produced the SMF record
|
30 | 1E | SMF83TLV | 1 | Binary | Terminal level number of foreground user (zero if not available). |
31 | 1F | SMF83ERR | 1 | Binary | Command processing error flag
|
32 | 20 | SMF83TRM | 8 | EBCDIC | Terminal ID of foreground user (zero if not available). |
40 | 28 | SMF83JBN | 8 | EBCDIC | Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
48 | 30 | SMF83RST | 4 | Binary | Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
52 | 34 | SMF83RSD | 4 | Packed | Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
56 | 38 | SMF83UID | 8 | EBCDIC | User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
64 | 40 | SMF83VER | 1 | Binary | Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead. |
65 | 41 | SMF83RE2 | 1 | Binary | Additional reasons for logging
|
66 | 42 | SMF83VRM | 4 | EBCDIC | FMID for RACF |
70 | 46 | SMF83SEC | 8 | EBCDIC | Security Label of the User. |
78 | 4E | SMF83AU2 | 1 | Binary | Authority used continued
|
79 | 4F | SMF83RSV | 4 | Binary | Reserved |
80 | 50 | SMF83US2 | 8 | EBCDIC | Identifier of the address space user associated with this event. |
88 | 58 | SMF83GR2 | 8 | EBCDIC | Group to which the address space user was connected. |
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
0 | 0 | SMF83TP2 | 2 | Binary | Data type. See Table 3. |
2 | 2 | SMF83DL2 | 2 | Binary | Length of data that follows. |
4 | 4 | SMF83DA2 | variable | EBCDIC | Data |
Data type (SMF83TP2) | Max data length (SMF83DL2) | Format | Audited by event code | Description | ||
---|---|---|---|---|---|---|
Dec. | Hex. | Dec. | Hex. | |||
1 | 1 | 255 | FF | EBCDIC | All subtype 2 and above | Subject's distinguished name from the current ACEE |
2 | 2 | 255 | FF | EBCDIC | All subtype 2 and above | Issuers distinguished name from current ACEE |
3 | 3 | 246 | F6 | EBCDIC | All subtype 2 and above | Resource name |
4 | 4 | 8 | 8 | EBCDIC | All subtype 2 and above | Class name |
5 | 5 | 246 | F6 | EBCDIC | All subtype 2 and above | Profile name |
6 | 6 | 7 | 7 | EBCDIC | All subtype 2 and above | FMID of the product requesting event logging |
7 | 7 | 255 | FF | EBCDIC | All subtype 2 and above | Name of the product requesting event logging |
8 | 8 | 255 | FF | EBCDIC | All subtype 2 and above | Log string |
9 | 9 | 8 | 8 | Binary | All subtype 2 and above | Link value |
10 | A | 510 | 1FE | EBCDIC | All subtype 2 and above | Authenticated user name |
11 | B | 255 | FF | EBCDIC | All subtype 2 and above | Authenticated user registry name |
12 | C | 128 | 80 | EBCDIC | All subtype 2 and above | Authenticated user host name |
13 | D | 16 | 10 | EBCDIC | All subtype 2 and above | Authenticated user authentication mechanism object identifier (OID) |
14 | E | 246 | F6 | UTF-8 |
All, except 68, 71, 79, 81, 82, and 85 |
Authenticated distributed identity user name |
15 | F | 255 | FF | UTF-8 |
All, except 68, 71, 79, 81, 82, and 85 |
Authenticated distributed identity user registry |
100 | 64 | 8 | 8 | EBCDIC | Subtype 7 | User ID |
101 | 65 | 20 | 14 | EBCDIC | Subtype 7 | Factor name |
102 | 66 | 255 | FF | EBCDIC | Subtype 7 | Policy name |
103 | 67 | 16 | 10 | EBCDIC | Subtype 7 | IDT JWT claim |
104 | 68 | 8 | 8 | EBCDIC | Subtype 7 | Address space userid |
105 | 69 | 8 | 8 | EBCDIC | Subtype 7 | Application name |
106 | 6A | 8 | 8 | EBCDIC | Subtype 7 | Security manager derived application name |
107 | 6B | 3 | 3 | EBCDIC | Subtype 7 | Session type (see ICHRUTKN for values) |
Audit records for successful IBM MFA authentications
Profile | Description |
---|---|
AUDIT.RACROUTE.<userid> | RACROUTE authentication using a password or passphrase. |
AUDIT.WEB.<userid> | IBM MFA web server authentication. |
AUDIT.IDT.<userid> | RACROUTE authentication using an identity token. |
AUDIT.GETCTC.<userid> | Callable service R_factor function GetCTC authentication |
You can define a generic resource, such as AUDIT.RACROUTE.* or AUDIT.WEB.A*, to enable audit record creation for successful IBM MFA authentications. If multiple AUDIT profiles exist that are a match for the request resource name, then standard RACF rules determine which profile is used.
To stop audit record creation for successful authentications, delete or alter the MFADEF AUDIT profile with AUDIT(FAILURES) specified. After any addition, modification, or deletion of the MFADEF AUDIT profiles, perform an IPL or issue a SETROPTS RACLIST(MFADEF) REFRESH command to make the change effective.