Classes that control auditing for z/OS UNIX System Services
Each of the classes controls auditing for z/OS UNIX System Services in a
particular way. The descriptions that follow define the type of auditing
each class controls and include:
- The audit event types that it controls
- The RACF® callable services that write the audit record
- The z/OS UNIX services that can cause the event
The classes are:
- DIRSRCH
- Controls auditing of directory searches:
- Audit event type:
- 28
- RACF callable service:
- ck_access
- z/OS UNIX services:
- chaudit, chdir, chmod, chmount, chmountsetuid, chown, getcwd, ioctl, lstat, link, mkdir, mknod, mount, mountsetuid, open, opendir, pathconf, readlink, rename, rmdir, stat, symlink, ttyname, unlink, unmount, unmountsetu, utime, chattr, vsetattr, vcreate, vmakedir, vlink, vremovdir, vremove, vrename, vsymlink, vresolvepn, vlookup, exec (indirectly using an open)
- DIRACC
- Controls auditing for access checks for read/write access to directories:
- Audit event types:
- 29, 64
- RACF callable service:
- ck_access, ck_owner_two_files
- z/OS UNIX services:
- chmount, chmountsetuid, getcwd, ioctl, link, mkdir, mknod, mount, mountsetuid, open(new file), open(a directory), opendir, remove, rename, rmdir, symlink, ttyname, unlink, unmount, unmountsetu, vlink, vmakedir, vcreate, vrename, vremovedir, vsymlink, vremove, vreaddir, utime (a directory)
- FSOBJ
- Controls auditing for all access checks for file system objects
except directory searches using SETROPTS LOGOPTIONS and controls auditing
of creation and deletion of file system objects using SETROPTS AUDIT
(see the following note). For object access:
- Audit event types:
- 30, 56
- RACF callable service:
- ck_access
- z/OS UNIX services:
- link, vlink, open, quiescesetu, unquiescesu, vreadwrite, utime, quiesce, unquiesce, exec (indirectly using an open)
For object create and delete or name change:- Audit event types:
- 32, 41, 42, 43, 44, 45, 47, 48, 53, 54, 55, 64
- RACF callable service:
- ck_owner_two_files, ckpriv, makeFSP, R_audit
- z/OS UNIX services:
- chdir, chmount, chmountsetuid, link, mkdir, mknod, mount, mountsetuid,
open(new file), remove, rename, rmdir, symlink, unlink, unmount, unmountsetu,
vlink, vmakedir, vcreate, vremove, vremovedir, vrename, vsymlink Note: Chdir, symlink, and vsymlink are included to make it possible to re-create from the audit records the full path name you are using when accessing files. Services other than those listed are audited with audit event type 42 or 43.
- FSSEC
- Controls auditing for changes to the security data (FSP and ACL)
for file system objects:
- Audit event types:
- 31, 33, 34, 35, 75, 76, 77
- RACF callable services:
- R_chaudit, R_chmod, R_chown, clear_setid, R_setfacl, R_setfsecl
- z/OS UNIX services:
- chaudit, chmod, chown, fchaudit, fchmod, fchown, write, chattr,
fchattr, setfacl, vsetattr, vreadwrite Note: Event type 75, SETFACL, has a separate audit record created for each ACL entry which is added, modified, or deleted.
- IPCOBJ
- Specifies auditing options for IPC accesses. For access control
and for z/OS® UNIX user identifier (UID), z/OS UNIX group
identifier (GID), and mode changes, use SETROPTS LOGOPTIONS. For
object create and delete, use SETROPTS AUDIT (see the following note).
For access control or UID, GID, or mode changes:
- Audit event types:
- 60, 62
- RACF callable services:
- ck_IPC_access, R_IPC_ctl
- z/OS UNIX services:
- msgctl, msgget, msgsnd, msgrcv, semctl, semget, semop, shmat, shmctl, shmget, w_getipc
For object create and delete or for remove ID:- Audit event types:
- 61, 62
- RACF callable services:
- makeISP, R_IPC_ctl
- z/OS UNIX services:
- msgctl, msgget, semctl, semget, shmctl, shmget
- PROCESS
- Controls auditing of changes to the UIDs and GIDs of processes
and changing of the Osigset action, thread limit, and other privileged
operations using the SETROPTS LOGOPTIONS, and controls auditing of
dubbing, undubbing, and server registration of processes using SETROPTS
AUDIT (see the following note). For UID/GID, Osigset and thread limit changes, and other privileged operations:
- Audit event types:
- 36, 49, 50, 51, 52, 57, 63
- RACF callable services:
- R_exec, R_setuid, R_setgid, R_seteuid, R_setegid, ck_priv
- z/OS UNIX services:
- _console, exec, __login, server_init, setuid, setgid, seteuid, setegid, shutdown_reg, sigaction, spawn, swap services, thlmt, WLMC
- Audit event types:
- 38, 39, 57 Note: Unsuccessful process dubs (38 events) are always audited.
- RACF callable services:
- initUSP, delete_USP, ck_priv
- z/OS UNIX services:
- first syscall for a process, dub, _exit, undub, vregister
- PROCACT
- Controls auditing of functions that look at data from or effect
other processes:
- Audit event types:
- 37, 40, 46, 58, 65
- RACF callable services:
- ck_process_owner, R_ptrace
- z/OS UNIX services:
- getpsent, kill, ptrace, recv, recvmsg, sendmsg
Audit records are written for getpsent only during the following configuration: SETROPTS LOGOPTIONS (ALWAYS).
Note about using SETROPTS AUDIT: For the services listed whose auditing is controlled by SETROPTS AUDIT, all successful requests are audited. Failures for these services are audited by the authority check that actually failed (for example, an access check to a FACILITY class profile, or an access check controlled by the FSOBJ or DIRACC classes). To audit these, use LOGOPTIONS(FAILURES) for the appropriate classes.