Logging

Logging, the recording of data about specific events, is the key to auditing the use of RACF® at your installation. You must ensure that RACF logs the information you need. RACF uses the system management facilities (SMF) to log data about various RACF events. RACF writes SMF records to an SMF data set or log stream.

REQTEXT

Things to Consider

  • Each additional logging activity that you specify increases RACF and SMF processing and, as a result, might affect RACF performance.
  • When RACF is enabled for sysplex communication, RACF logs the use of commands only for the system from which the command originated (if auditing has been turned on), even though some commands are propagated to the other members in the RACF sysplex data sharing group.
  • When you are sharing a RACF database among two or more systems, you must run the logging and reporting utilities from the highest level system.
RACF always logs information about certain events because knowing about these events is essential to an effective data-security mechanism. The events that RACF always logs are:
  • Every use of the RVARY or SETROPTS command.

    If you are using the RACF subsystem on MVS™ and issue RVARY as an MVS operator command, the job name information is propagated in the SMF record. This distinguishes it from an RVARY command issued from a TSO session.

  • Start of changeA successful RACROUTE REQUEST=VERIFY under the following conditions:
    • SETROPTS AUDIT(USER) is active and a user's password or password phrase is changed
    • authentication using a PassTicket
    • authentication of an IBM® Multi-Factor Authentication user using a password or password phrase.
    End of change
  • Every time a RACROUTE REQUEST=VERIFY request fails or an initACEE fails because a certificate is unknown or not trusted.
  • Every time a distributed identity is unknown.
  • Every time the console operator grants access to a resource as part of the failsoft processing performed when RACF is inactive
  • When a user not defined as a z/OS UNIX System Services user tries to dub a process
  • When an unauthorized user tries to mount or unmount the file system
  • When a user successfully sets or resets his write-down mode, or fails attempting to do so because the user does not have the write-down privilege
  • Other components may also cause security events to be logged

For more details about z/OS UNIX System Services events for which audit records are always written, see z/OS UNIX System Services Planning.

RACF never logs some events, because knowing about these events is not essential to effective data security. RACF never logs any use of the following RACF commands: LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH.

In addition, RACF can optionally log other events. Optional logging is under the control of either a resource-profile owner or the auditor.

Parent topic: The RACF auditor