RACF® writes audit records
for the z/OS UNIX System Services
events in SMF type 80 records. The following classes are defined
to control auditing:
The classes are in the class descriptor table (ICHRRCDX). No
profiles can be defined in these classes. They are for audit purposes
only. These classes do not need to be active to be used to control z/OS UNIX System Services
Activating the classes has no effect on auditing or authorization
checking, except for the FSSEC class, which enables the use of ACLs
in authorization checking.
Audit records are always written for security decisions made during RACF callable services involving
resources in these z/OS® UNIX classes when the user has the
UAUDIT attribute, regardless of the LOGOPTIONS and AUDIT settings.
In addition, audit records are always written, and there is no option to turn them off, when one
of the following conditions occurs:
- A user who is not defined as a z/OS
UNIX System Services user tries to dub a process
- An unauthorized user tries to mount or unmount a file system
For more details about z/OS
UNIX System Services events for which audit records are always
written, see z/OS UNIX System Services Planning
You can use profiles in the UNIXPRIV class to audit certain superuser
functions. For more information about this z/OS UNIX System Services class,
see Auditing for superuser authority in the UNIXPRIV class.