Record type 83: Security events

Record type 83 is a processing record for auditing security-related events. A security event can be an authentication or authorization attempt. The service detecting the event might be RACF® or another z/OS® component. The specific component is identified by the product section of the SMF type 83 record.

Notes:

Subtype 1 - Record type 83 subtype 1 is a RACF processing record for auditing data sets that are affected by a RACF command (ADDSD, ALTDSD, and DELDSD) that caused the security label to be changed. These records are generated when SETROPTS MLACTIVE is in effect and a RACF command (ALTDSD, ADDSD, DELDSD) has been issued that changed the security label of a data set profile. The SMF type 83 subtype 1 record contains the names of the cataloged data sets affected by the security label change.
A link value is contained in both the SMF type 80 record for the RACF command and the SMF type 83 subtype 1 record. The link value is used to connect the list of data set names that are affected by the security label change with the RACF command that caused the change.

The event codes and qualifiers for record type 83 subtype 1 are the same as for type 80 records.
Subtype 2 - SMF type 83 subtype 2 records contain Enterprise Identity Mapping (EIM) audit data.
Subtype 3 - SMF type 83 subtype 3 records contain LDAP audit data.
Subtype 4 - SMF type 83 subtype 4 records contain information from the R_auditx remote auditing service. For more information about SMF type 83 audit records, see R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event in z/OS Security Server RACF Callable Services.
Subtype 5 - SMF type 83 subtype 5 records contain WebSphere® audit data.
Subtype 6 - SMF type 83 subtype 6 records contain TKLM audit data.
Subtype 7 - SMF type 83 subtype 7 records contain IBM Z Multi-Factor Authentication data. For more information about record type 83 subtype 7, see IBM MFA SMF Record type 83 subtype 7 records in IBM Z Multi-Factor Authentication Installation and Customization.

The format is:

Offsets
Dec.	Hex.	Name	Length	Format	Description
0	0	SMF83LEN	2	Binary	Record length.
2	2	SMF83SEG	2	Binary	Segment descriptor.
4	4	SMF83FLG	1	Binary	System indicator Bit Meaning when set 0 Subsystem identification follows system identification 1 Subtypes used 2 Reserved for IBM®'s use 3 MVS™/ 4 MVS/ 5 MVS/ 6 VS2 7 Reserved for IBM's use. Note: For MVS/, bits 3, 4, 5, and 6 are on.
5	5	SMF83RTY	1	Binary	Record type: 83 (X'53').
6	6	SMF83TME	4	Binary	Time of day, in hundredths of a second, that the record was moved to the SMF buffer.
10	A	SMF83DTE	4	EBCDIC	Date that the record was moved to the SMF buffer, in the form 0`cyydddF` (where `F` is the sign).
14	E	SMF83SID	4	EBCDIC	System identification (from the SID parameter).
18	12	SMF83SSI	4	EBCDIC	Subsystem identification RACF.
22	16	SMF83TYP	2	Binary	Record subtype 1 See Subtype 1 2 See Subtype 2 and above
24	18	SMF83TRP	2	Binary	Number of triplets.
26	1A	SMF83XXX	2		Reserved for IBM's use.
28	1C	SMF83OPD	4	Binary	Offset to product section.
32	20	SMF83LPD	2	Binary	Length of product section.
34	22	SMF83NPD	2	Binary	Number of product sections.
36	24	SMF83OD1	4	Binary	Offset to security section.
40	28	SMF83LD1	2	Binary	Length of security section.
42	2A	SMF83ND1	2	Binary	Number of security sections.
44	2C	SMF83OD2	4	Binary	Offset to relocate section.
48	30	SMF83LD2	2	Binary	Length of relocate section.
50	32	SMF83ND2	2	Binary	Number of relocate sections.
Product section: See Product section for details.
Security section: See Security section for details.
Relocate sections: See Relocate sections for details.

Product section

The product section exists in all SMF type 83 records. It is completed for subtype 1 records.

The product section in the record can be located by adding the SMF83OPD field to the beginning of the SMF record.

The product section is mapped in the following table.

Table 1. RACF SMF type 83 record product section
Offsets
Dec.	Hex.	Name	Length	Format	Description
0	0	SMF83RVN	4	EBCDIC	Product version, release, and modification level number.
4	4	SMF83PNM	4	EBCDIC	Product name

Security section

The security section is common to all record type 83 subtypes. It identifies the specific event and the result.

The information in the security section and the relocate sections provide additional information about the event.

The user identity or identities used by the product or component for purposes of the authentication or authorization request
The authority required for the request to succeed
The authority the user has
The reasons for logging the event
1. includes the user identity used to determine why to log
2. includes the resource used to determine why to log
Note: In general, RACF searches for reasons for auditing an event until it finds one, then audits without looking for more reasons that might also have caused auditing. This means that most RACF SMF records will show only one reason for auditing, even though several might apply (and in a few cases, more than one might actually be shown in the record). There are many places in RACF that audit, and the order of checking is not the same in all places, so the audit reason that will be used is not entirely predictable. In some cases it would not even be possible for RACF to look for additional potential audit reasons without causing adverse performance impact to the system. For example, SPECIAL users are often granted access to a resource without even reading the resource profile that protects it, so no information is available about what auditing options the profile might have requested.

Any authentication or authorization request may succeed or fail because of one of several authority checks that grant access to the system or resource. The information in the audit record is limited to the specific authority check that succeeded or failed. The audit record does not contain all of the authorities the user has or all of the authorities that could allow access to the system or resource.

The security section in the record can be located by adding the SMF83OD1 field to the beginning of the SMF record

Subtype 1

Offsets
Dec.	Hex.	Name	Length	Format	Description
Security section:
0	0	SMF83LNK	4	Binary	Same LINK value as that in the SMF type 80 record for the associated command. Connects the data set names in type 83 records with the RACF command that caused the security label change.
4	4	SMF83DES	2	Binary	Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Record contains a version indicator (see SMF83VER) 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM) 5-15 Reserved for IBM's use.
6	6	SMF83EVT	1	Binary	Event code.
7	7	SMF83EVQ	1	Binary	Event code qualifier.
8	8	SMF83USR	8	EBCDIC	Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
16	10	SMF83GRP	8	EBCDIC	Group to which the user was connected (stepname is used if the user is not defined to RACF).
24	18	SMF83REL	2	Binary	Offset to the first relocate section from beginning of record header.
26	1A	SMF83CNT	2	Binary	Count of the number of relocate sections.
28	1C	SMF83ATH	1	Binary	Authorities used for executing commands or accessing resources Bit Meaning when set 0 Normal authority check (resource access) 1 SPECIAL attribute (command processing) 2 OPERATIONS attribute (resource access, command processing) 3 AUDITOR attribute (command processing) 4 Installation exit processing (resource access) 5 Failsoft processing (resource access) 6 Bypassed-user ID = BYPASS (resource access) 7 Trusted attribute (resource access).
29	1D	SMF83REA	1	Binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing. 4 RACINIT failure 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
30	1E	SMF83TLV	1	Binary	Terminal level number of foreground user (zero if not available).
31	1F	SMF83ERR	1	Binary	Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved for IBM's use.
32	20	SMF83TRM	8	EBCDIC	Terminal ID of foreground user (zero if not available).
40	28	SMF83JBN	8	EBCDIC	Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
48	30	SMF83RST	4	Binary	Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
52	34	SMF83RSD	4	packed	Date the reader recognized the JOB statement for this job in the form 0`cyydddF` (where `F` is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
56	38	SMF83UID	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
64	40	SMF83VER	1	Binary	Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
65	41	SMF83RE2	1	Binary	Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4-7 Reserved for IBM's use.
66	42	SMF83VRM	4	EBCDIC	FMID for RACF 2020 RACF 2.2 and OS/390® Security Server (RACF) V1 R2 2030 OS/390 Security Server (RACF) V1 R3 2040 OS/390 Security Server (RACF) V2 R4 2060 OS/390 Security Server (RACF) V2 R6 2608 OS/390 Security Server (RACF) V2 R8 7703 OS/390 Security Server (RACF) V2 R10 and z/OS Security Server (RACF) V1 R1 7705 z/OS Security Server (RACF) V1 R2 7706 z/OS Security Server (RACF) V1 R3 7707 z/OS Security Server (RACF) V1 R4 7708 z/OS Security Server (RACF) V1 R5 7709 z/OS Security Server (RACF) V1 R6 7720 z/OS Security Server (RACF) V1 R7 7730 z/OS Security Server (RACF) V1 R8 7740 z/OS Security Server (RACF) V1 R9 7750 z/OS Security Server (RACF) V1 R10 7760 z/OS Security Server (RACF) V1 R11 7770 z/OS Security Server (RACF) V1 R12 7780 z/OS Security Server (RACF) V1 R13 7790 z/OS Security Server (RACF) V2 R1 77A0 z/OS Security Server (RACF) V2 R2 77B0 z/OS Security Server (RACF) V2 R3 77C0 z/OS Security Server (RACF) V2 R4 77D0 z/OS Security Server (RACF) V2 R5
70	46	SMF83SEC	8	EBCDIC	Security label of the user.

Subtype 2 and above

Offsets
Dec.	Hex.	Name	Length	Format	Description
Security section:
0	0	SMF83LNK	4	Binary	Value used to link several SMF 83 records to a single event.
4	4	SMF83DES	2	Binary	Descriptor flags Bit Meaning when set 0 The event is a violation 1 User is not defined to RACF 2 Reserved 3 The event is a warning 4 Record contains a version, release, and modification level number (see SMF83VRM) 5 The caller of the R_auditx service indicated always log 6-15 Reserved
6	6	SMF83EVT	1	Binary	Event code.
7	7	SMF83EVQ	1	Binary	Event code qualifier.
8	8	SMF83USR	8	EBCDIC	Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
16	10	SMF83GRP	8	EBCDIC	Group to which the user was connected (stepname is used if the user is not defined to RACF).
24	18	SMF83REL	2	Binary	Reserved
26	1A	SMF83CNT	2	Binary	Reserved
28	1C	SMF83ATH	1	Binary	Authorities used for processing commands or accessing resources Bit Meaning when set 0-7 Reserved
29	1D	SMF83REA	1	Binary	Reason for logging. These flags indicate the reason RACF produced the SMF record Bit Meaning when set 0 SETROPTS AUDIT(class) changes to this class of profile are being audited. 1 User being audited 2 SPECIAL users being audited 3 Access to the resource is being audited because of the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACROUTE REQUEST=AUTH exit routine, or because the operator granted access during failsoft processing. 4 RACROUTE REQUEST=VERIFY or initACEE failure. 5 This command is always audited 6 Violation detected in command and CMDVIOL is in effect 7 Access to entity being audited because of GLOBALAUDIT option.
30	1E	SMF83TLV	1	Binary	Terminal level number of foreground user (zero if not available).
31	1F	SMF83ERR	1	Binary	Command processing error flag Bit Meaning when set 0 Command had error and RACF could not back out some changes 1 No profile updates were made because of error in RACF processing 2-7 Reserved
32	20	SMF83TRM	8	EBCDIC	Terminal ID of foreground user (zero if not available).
40	28	SMF83JBN	8	EBCDIC	Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
48	30	SMF83RST	4	Binary	Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
52	34	SMF83RSD	4	Packed	Date the reader recognized the JOB statement for this job in the form 0`cyydddF` (where `F` is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
56	38	SMF83UID	8	EBCDIC	User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero.
64	40	SMF83VER	1	Binary	Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead.
65	41	SMF83RE2	1	Binary	Additional reasons for logging Bit Meaning when set 0 Security level control for auditing 1 Auditing by LOGOPTIONS 2 Class being audited because of SETROPTS SECLABELAUDIT 3 Class being audited because of SETROPTS COMPATMODE 4 Audited because of SETROPTS APPLAUDIT 5 Audited because user not defined to z/OS UNIX 6 Audited because user does not have appropriate authority for z/OS UNIX 7 Reserved
66	42	SMF83VRM	4	EBCDIC	FMID for RACF
70	46	SMF83SEC	8	EBCDIC	Security Label of the User.
78	4E	SMF83AU2	1	Binary	Authority used continued Bit Meaning when set 0 z/OS UNIX superuser 1 z/OS UNIX system function 2-7 Reserved
79	4F	SMF83RSV	4	Binary	Reserved
80	50	SMF83US2	8	EBCDIC	Identifier of the address space user associated with this event.
88	58	SMF83GR2	8	EBCDIC	Group to which the address space user was connected.

Relocate sections

Two types of relocate sections may be used by type 83 records-standard relocates or extended relocates. They are described below.

The start of the relocate sections in the record can be located by adding the SMF83OD2 field to the beginning of the SMF record.

The relocate sections for subtype 1 use the standard relocate section format. The data types for the relocate sections for subtype 1 are described in the Table of relocate section variable data

The relocate sections for subtypes 2 and above use the extended relocate section format. The data types (that is, relocate types) for the subtypes are documented with the product or component that reported the security event. Data type values of 100 and above are reserved for product or component use.

Table 2. RACF SMF record relocate section format
Offsets
Dec.	Hex.	Name	Length	Format	Description
RACF SMF record standard relocate section format:
0	0	SMF83DTP	1	Binary	Data type
1	1	SMF83DLN	1	Binary	Length of data that follows.
2	2	SMF83DTA	1-255 (1-FF)	mixed	Data
RACF SMF record extended relocate section format:
0	0	SMF83TP2	2	Binary	Data type
2	2	SMF83DL2	2	Binary	Length of data that follows.
4	4	SMF83DA2	variable	EBCDIC	Data

The relocate data type values 1-99 that appear in an SMF type 83 subtype 2 or above record are reserved for use by the RACF auditing services. The following table lists those relocate data types that have been assigned. These data types are used only for SMF type 83 subtype 2 records and above.

Table 3. RACF SMF type 83 subtype 2 and above relocates
Data type (SMF83TP2)		Max data length (SMF83DL2)		Format	Audited by event code	Description
Dec.	Hex.	Dec.	Hex.	Format	Audited by event code	Description
1	1	255	FF	EBCDIC	All subtype 2 and above	Subject's distinguished name from the current ACEE
2	2	255	FF	EBCDIC	All subtype 2 and above	Issuers distinguished name from current ACEE
3	3	246	F6	EBCDIC	All subtype 2 and above	Resource name
4	4	8	8	EBCDIC	All subtype 2 and above	Class name
5	5	246	F6	EBCDIC	All subtype 2 and above	Profile name
6	6	7	7	EBCDIC	All subtype 2 and above	FMID of the product requesting event logging
7	7	255	FF	EBCDIC	All subtype 2 and above	Name of the product requesting event logging
8	8	255	FF	EBCDIC	All subtype 2 and above	Log string
9	9	8	8	Binary	All subtype 2 and above	Link value
10	A	510	1FE	EBCDIC	All subtype 2 and above	Authenticated user name
11	B	255	FF	EBCDIC	All subtype 2 and above	Authenticated user registry name
12	C	128	80	EBCDIC	All subtype 2 and above	Authenticated user host name
13	D	16	10	EBCDIC	All subtype 2 and above	Authenticated user authentication mechanism object identifier (OID)
14	E	246	F6	UTF-8	All, except 68, 71, 79, 81, 82, and 85	Authenticated distributed identity user name
15	F	255	FF	UTF-8	All, except 68, 71, 79, 81, 82, and 85	Authenticated distributed identity user registry
100	64	8	8	EBCDIC	Subtype 7	User ID
101	65	20	14	EBCDIC	Subtype 7	Factor name
102	66	255	FF	EBCDIC	Subtype 7	Policy name