The ability to log information, such as attempted accesses to
a resource, and to generate reports containing that information can
prove useful to a resource owner, and is very important to a smoothly
functioning security system.
Because RACF® can identify
and verify a user's user ID and recognize which resources the user
can access, RACF can record
the events where user-resource interaction has been attempted. This
function records actual access activities or variances from the expected
use of the system.
RACF has a number of logging
and reporting functions that allow a resource owner to identify users
who attempt to access the resource. In addition, you and your auditor
can use these functions to log all detected successful and unsuccessful
attempts to access the RACF database
and RACF-protected resources. Logging all access attempts allows you
to detect possible security exposures or threats. The logging and
reporting functions are:
- Logging: RACF writes
records to the system management facility (SMF) for detected, unauthorized
attempts to enter the system. Optionally, RACF writes records to SMF for authorized attempts
and detected, unauthorized attempts to:
- Access RACF-protected resources
- Issue RACF commands
- Modify profiles on the RACF database
RACF writes these records
to an SMF data set. To list SMF records, you can use either the RACF SMF data unload utility (IRRADU00)
or the RACF report writer.
- With the SMF data unload utility, you can translate the RACF SMF records into a format
you can browse or upload to a database, query, or reporting package,
such as DB2®.
- With the report writer, you can select RACF SMF records to produce the reports. Because
the RACF report writer was
stabilized at the RACF 1.9.2
level, it cannot produce reports for all records beyond that release.
You should keep in mind that, for each logging activity that RACF performs, there is a corresponding
increase in RACF and SMF processing.
For
more information on logging and auditing, see z/OS Security Server RACF Auditor's Guide.
For information about how to specify logging
and auditing functions, see z/OS Security Server RACF Command Language Reference.
- Sending messages: RACF sends
messages to the security console for detected,
unauthorized attempts to enter the system and for detected, unauthorized
attempts to access RACF-protected resources or modify profiles on
the RACF database.
As well
as sending resource access violation messages only to the security
console, RACF allows you to
send a message to a RACF-defined TSO user. Each resource profile can
contain the name of a user to be notified when RACF denies access to the resource. If the user
is not logged on to the system at the time of the violation, the user
receives the message when logging on.
If you are auditing access
attempts, and you have selected the RACF function
that issues a warning message instead of failing an invalid access
attempt (to allow for a more orderly migration to a RACF-protected
system), RACF records each
attempted access. For each access attempt that would have failed, RACF sends a warning message (ICH408I)
to the accessor, but allows the access. If a notify user is
specified in the resource profile, RACF also
sends a message to that user.
- Keeping statistical information: Optionally, RACF can keep selected statistical information,
such as the
date, time, and number of times that a user enters the system and
the number of times a single user accesses a specific resource. This
information can help the installation analyze and control its computer
operations more effectively. In addition, to allow the installation
to track and maintain control over its users and resources, RACF provides commands that enable
the installation to list the contents of the profiles in the RACF database.