Record type 83: Security events
- Subtype 1 - Record type 83 subtype 1 is a RACF processing
record for auditing data sets that are affected by a RACF
command (ADDSD, ALTDSD, and DELDSD) that caused the security label to be changed. These records are
generated when SETROPTS MLACTIVE is in effect and a RACF
command (ALTDSD, ADDSD, DELDSD) has been issued that changed the security label of a data set
profile. The SMF type 83 subtype 1 record contains the names of the cataloged data sets affected by
the security label change.
A link value is contained in both the SMF type 80 record for the RACF command and the SMF type 83 subtype 1 record. The link value is used to connect the list of data set names that are affected by the security label change with the RACF command that caused the change.
The event codes and qualifiers for record type 83 subtype 1 are the same as for type 80 records.
- Subtype 2 - SMF type 83 subtype 2 records contain Enterprise Identity Mapping (EIM) audit data.
- Subtype 3 - SMF type 83 subtype 3 records contain LDAP audit data.
- Subtype 4 - SMF type 83 subtype 4 records contain information from the R_auditx remote auditing service. For more information about SMF type 83 audit records, see R_auditx (IRRSAX00 or IRRSAX64): Audit a security-related event in z/OS Security Server RACF Callable Services.
- Subtype 5 - SMF type 83 subtype 5 records contain WebSphere® audit data.
- Subtype 6 - SMF type 83 subtype 6 records contain TKLM audit data.
- Subtype 7 - SMF type 83 subtype 7 records contain IBM Z Multi-Factor Authentication data. For more information about record type 83 subtype 7, see IBM MFA SMF Record type 83 subtype 7 records in IBM Z Multi-Factor Authentication Installation and Customization.
The format is:
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
0 | 0 | SMF83LEN | 2 | Binary | Record length. |
2 | 2 | SMF83SEG | 2 | Binary | Segment descriptor. |
4 | 4 | SMF83FLG | 1 | Binary | System indicator
Note: For MVS/, bits 3, 4, 5, and 6 are on.
|
5 | 5 | SMF83RTY | 1 | Binary | Record type: 83 (X'53'). |
6 | 6 | SMF83TME | 4 | Binary | Time of day, in hundredths of a second, that the record was moved to the SMF buffer. |
10 | A | SMF83DTE | 4 | EBCDIC | Date that the record was moved to the SMF buffer, in the form 0cyydddF (where F is the sign). |
14 | E | SMF83SID | 4 | EBCDIC | System identification (from the SID parameter). |
18 | 12 | SMF83SSI | 4 | EBCDIC | Subsystem identification RACF. |
22 | 16 | SMF83TYP | 2 | Binary | Record subtype
|
24 | 18 | SMF83TRP | 2 | Binary | Number of triplets. |
26 | 1A | SMF83XXX | 2 | Reserved for IBM's use. | |
28 | 1C | SMF83OPD | 4 | Binary | Offset to product section. |
32 | 20 | SMF83LPD | 2 | Binary | Length of product section. |
34 | 22 | SMF83NPD | 2 | Binary | Number of product sections. |
36 | 24 | SMF83OD1 | 4 | Binary | Offset to security section. |
40 | 28 | SMF83LD1 | 2 | Binary | Length of security section. |
42 | 2A | SMF83ND1 | 2 | Binary | Number of security sections. |
44 | 2C | SMF83OD2 | 4 | Binary | Offset to relocate section. |
48 | 30 | SMF83LD2 | 2 | Binary | Length of relocate section. |
50 | 32 | SMF83ND2 | 2 | Binary | Number of relocate sections. |
Product section: See Product section for details. | |||||
Security section: See Security section for details. | |||||
Relocate sections: See Relocate sections for details. |
Product section
The product section exists in all SMF type 83 records. It is completed for subtype 1 records.
The product section in the record can be located by adding the SMF83OPD field to the beginning of the SMF record.
The product section is mapped in the following table.
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
0 | 0 | SMF83RVN | 4 | EBCDIC | Product version, release, and modification level number. |
4 | 4 | SMF83PNM | 4 | EBCDIC | Product name |
Security section
The security section is common to all record type 83 subtypes. It identifies the specific event and the result.
- The user identity or identities used by the product or component for purposes of the authentication or authorization request
- The authority required for the request to succeed
- The authority the user has
- The reasons for logging the event
- includes the user identity used to determine why to log
- includes the resource used to determine why to log
Note: In general, RACF searches for reasons for auditing an event until it finds one, then audits without looking for more reasons that might also have caused auditing. This means that most RACF SMF records will show only one reason for auditing, even though several might apply (and in a few cases, more than one might actually be shown in the record). There are many places in RACF that audit, and the order of checking is not the same in all places, so the audit reason that will be used is not entirely predictable. In some cases it would not even be possible for RACF to look for additional potential audit reasons without causing adverse performance impact to the system. For example, SPECIAL users are often granted access to a resource without even reading the resource profile that protects it, so no information is available about what auditing options the profile might have requested.
Any authentication or authorization request may succeed or fail because of one of several authority checks that grant access to the system or resource. The information in the audit record is limited to the specific authority check that succeeded or failed. The audit record does not contain all of the authorities the user has or all of the authorities that could allow access to the system or resource.
The security section in the record can be located by adding the SMF83OD1 field to the beginning of the SMF record
Subtype 1
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
Security section: | |||||
0 | 0 | SMF83LNK | 4 | Binary | Same LINK value as that in the SMF type 80 record for the associated command. Connects the data set names in type 83 records with the RACF command that caused the security label change. |
4 | 4 | SMF83DES | 2 | Binary | Descriptor flags
|
6 | 6 | SMF83EVT | 1 | Binary | Event code. |
7 | 7 | SMF83EVQ | 1 | Binary | Event code qualifier. |
8 | 8 | SMF83USR | 8 | EBCDIC | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF). |
16 | 10 | SMF83GRP | 8 | EBCDIC | Group to which the user was connected (stepname is used if the user is not defined to RACF). |
24 | 18 | SMF83REL | 2 | Binary | Offset to the first relocate section from beginning of record header. |
26 | 1A | SMF83CNT | 2 | Binary | Count of the number of relocate sections. |
28 | 1C | SMF83ATH | 1 | Binary | Authorities used for executing commands or accessing
resources
|
29 | 1D | SMF83REA | 1 | Binary | Reason for logging. These flags indicate the reason RACF produced the SMF record
|
30 | 1E | SMF83TLV | 1 | Binary | Terminal level number of foreground user (zero if not available). |
31 | 1F | SMF83ERR | 1 | Binary | Command processing error flag
|
32 | 20 | SMF83TRM | 8 | EBCDIC | Terminal ID of foreground user (zero if not available). |
40 | 28 | SMF83JBN | 8 | EBCDIC | Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
48 | 30 | SMF83RST | 4 | Binary | Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
52 | 34 | SMF83RSD | 4 | packed | Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
56 | 38 | SMF83UID | 8 | EBCDIC | User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
64 | 40 | SMF83VER | 1 | Binary | Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead. |
65 | 41 | SMF83RE2 | 1 | Binary | Additional reasons for logging
|
66 | 42 | SMF83VRM | 4 | EBCDIC | FMID for RACF
|
70 | 46 | SMF83SEC | 8 | EBCDIC | Security label of the user. |
Subtype 2 and above
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
Security section: | |||||
0 | 0 | SMF83LNK | 4 | Binary | Value used to link several SMF 83 records to a single event. |
4 | 4 | SMF83DES | 2 | Binary | Descriptor flags
|
6 | 6 | SMF83EVT | 1 | Binary | Event code. |
7 | 7 | SMF83EVQ | 1 | Binary | Event code qualifier. |
8 | 8 | SMF83USR | 8 | EBCDIC | Identifier of the user associated with this event (jobname is used if the user is not defined to RACF). |
16 | 10 | SMF83GRP | 8 | EBCDIC | Group to which the user was connected (stepname is used if the user is not defined to RACF). |
24 | 18 | SMF83REL | 2 | Binary | Reserved |
26 | 1A | SMF83CNT | 2 | Binary | Reserved |
28 | 1C | SMF83ATH | 1 | Binary | Authorities used for processing commands or accessing
resources
|
29 | 1D | SMF83REA | 1 | Binary | Reason for logging. These flags indicate the reason RACF produced the SMF record
|
30 | 1E | SMF83TLV | 1 | Binary | Terminal level number of foreground user (zero if not available). |
31 | 1F | SMF83ERR | 1 | Binary | Command processing error flag
|
32 | 20 | SMF83TRM | 8 | EBCDIC | Terminal ID of foreground user (zero if not available). |
40 | 28 | SMF83JBN | 8 | EBCDIC | Job name. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
48 | 30 | SMF83RST | 4 | Binary | Time, in hundredths of a second that the reader recognized the JOB statement for this job for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
52 | 34 | SMF83RSD | 4 | Packed | Date the reader recognized the JOB statement for this job in the form 0cyydddF (where F is the sign) for RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
56 | 38 | SMF83UID | 8 | EBCDIC | User identification field from the SMF common exit parameter area. For RACROUTE REQUEST=VERIFY and RACROUTE REQUEST=VERIFYX records for batch jobs, this field can be zero. |
64 | 40 | SMF83VER | 1 | Binary | Version indicator 8 = Version 1, Release 8 or later. As of RACF 1.8.1, SMF83VRM is used instead. |
65 | 41 | SMF83RE2 | 1 | Binary | Additional reasons for logging
|
66 | 42 | SMF83VRM | 4 | EBCDIC | FMID for RACF |
70 | 46 | SMF83SEC | 8 | EBCDIC | Security Label of the User. |
78 | 4E | SMF83AU2 | 1 | Binary | Authority used continued
|
79 | 4F | SMF83RSV | 4 | Binary | Reserved |
80 | 50 | SMF83US2 | 8 | EBCDIC | Identifier of the address space user associated with this event. |
88 | 58 | SMF83GR2 | 8 | EBCDIC | Group to which the address space user was connected. |
Relocate sections
Two types of relocate sections may be used by type 83 records-standard relocates or extended relocates. They are described below.
The start of the relocate sections in the record can be located by adding the SMF83OD2 field to the beginning of the SMF record.
The relocate sections for subtype 1 use the standard relocate section format. The data types for the relocate sections for subtype 1 are described in the Table of relocate section variable data
The relocate sections for subtypes 2 and above use the extended relocate section format. The data types (that is, relocate types) for the subtypes are documented with the product or component that reported the security event. Data type values of 100 and above are reserved for product or component use.
Offsets | |||||
---|---|---|---|---|---|
Dec. | Hex. | Name | Length | Format | Description |
RACF SMF record standard relocate section format: | |||||
0 | 0 | SMF83DTP | 1 | Binary | Data type |
1 | 1 | SMF83DLN | 1 | Binary | Length of data that follows. |
2 | 2 | SMF83DTA | 1-255 (1-FF) | mixed | Data |
RACF SMF record extended relocate section format: | |||||
0 | 0 | SMF83TP2 | 2 | Binary | Data type |
2 | 2 | SMF83DL2 | 2 | Binary | Length of data that follows. |
4 | 4 | SMF83DA2 | variable | EBCDIC | Data |
The relocate data type values 1-99 that appear in an SMF type 83 subtype 2 or above record are reserved for use by the RACF auditing services. The following table lists those relocate data types that have been assigned. These data types are used only for SMF type 83 subtype 2 records and above.
Data type (SMF83TP2) | Max data length (SMF83DL2) | Format | Audited by event code | Description | ||
---|---|---|---|---|---|---|
Dec. | Hex. | Dec. | Hex. | |||
1 | 1 | 255 | FF | EBCDIC | All subtype 2 and above | Subject's distinguished name from the current ACEE |
2 | 2 | 255 | FF | EBCDIC | All subtype 2 and above | Issuers distinguished name from current ACEE |
3 | 3 | 246 | F6 | EBCDIC | All subtype 2 and above | Resource name |
4 | 4 | 8 | 8 | EBCDIC | All subtype 2 and above | Class name |
5 | 5 | 246 | F6 | EBCDIC | All subtype 2 and above | Profile name |
6 | 6 | 7 | 7 | EBCDIC | All subtype 2 and above | FMID of the product requesting event logging |
7 | 7 | 255 | FF | EBCDIC | All subtype 2 and above | Name of the product requesting event logging |
8 | 8 | 255 | FF | EBCDIC | All subtype 2 and above | Log string |
9 | 9 | 8 | 8 | Binary | All subtype 2 and above | Link value |
10 | A | 510 | 1FE | EBCDIC | All subtype 2 and above | Authenticated user name |
11 | B | 255 | FF | EBCDIC | All subtype 2 and above | Authenticated user registry name |
12 | C | 128 | 80 | EBCDIC | All subtype 2 and above | Authenticated user host name |
13 | D | 16 | 10 | EBCDIC | All subtype 2 and above | Authenticated user authentication mechanism object identifier (OID) |
14 | E | 246 | F6 | UTF-8 | All, except 68, 71, 79, 81,
82, and 85 |
Authenticated distributed identity user name |
15 | F | 255 | FF | UTF-8 | All, except 68, 71, 79, 81,
82, and 85 |
Authenticated distributed identity user registry |
100 | 64 | 8 | 8 | EBCDIC | Subtype 7 | User ID |
101 | 65 | 20 | 14 | EBCDIC | Subtype 7 | Factor name |
102 | 66 | 255 | FF | EBCDIC | Subtype 7 | Policy name |