Table of Contents (exploded view)
Abstract for z/OS Security Server RACF Auditor's Guide
Summary of changes
Summary of changes for z/OS Version 2 Release 2 (V2R2) as updated June 2016
Summary of changes for z/OS Version 2 Release 2 (V2R2)
z/OS Version 2 Release 1 summary of changes
The RACF auditor
AUDITOR, group-AUDITOR and ROAUDIT attribute
Access control and accountability
Logging
Owner-controlled logging
Auditor-controlled logging
Choosing between using RACF TSO commands and ISPF panels
Using the RACF cross-reference utility program (IRRUT100)
Using the RACF database unload utility program (IRRDBU00)
Using the RACF SMF data unload utility program (IRRADU00)
Using the DFSORT ICETOOL
Using the RACF report writer
Conducting the audit
Preliminary information
System information
Basic system
Authorization
System protection
Miscellaneous
RACF implementation
Protection plan
Usage
Technical
Administration control
Management control
Setting and listing audit controls
Auditing for z/OS UNIX System Services
Classes that control auditing for z/OS UNIX System Services
Auditable events
Commands
Audit options for file and directory levels
Auditing for superuser authority in the UNIXPRIV class
Auditing for the RACF remote sharing facility (RRSF)
The RACF SMF data unload utility
Operational considerations
Using IRRADU00
Writing your own application
IRRADU00 example
Return codes for IRRADU00
IRRADU00 output
Using output from the RACF SMF data unload utility
Sort/Merge programs
Relational databases
XML
Using the DFSORT ICETOOL to create reports
The report format
The record selection criteria
Using the RACFICE PROC to generate reports
Reports based on the SMF data unload utility (IRRADU00)
Creating customized reports
Using the RACF SMF data unload utility output with DB2
Steps for using IRRADU00 output with DB2
Creating a DB2 database for unloaded RACF SMF data
Creating a DB2 table space
Creating the DB2 tables
Loading the DB2 tables
Reorganizing the unloaded RACF SMF data in the DB2 database
Creating optimization statistics for the DB2 database
Deleting data from the DB2 database
DB2 table names
Using the RACF SMF data unload utility to generate XML documents
XML overview
Producing XML output
How the XML tag names are derived
Viewing and working with XML audit reports
Event code qualifiers
Event 1( 1): JOB INITIATION/TSO LOGON/TSO LOGOFF
Event 2( 2): RESOURCE ACCESS
Event 3( 3): ADDVOL/CHGVOL
Event 4( 4): RENAME RESOURCE
Event 5( 5): DELETE RESOURCE
Event 6( 6): DELETE ONE VOLUME OF A MULTIVOLUME RESOURCE
Event 7( 7): DEFINE RESOURCE
Event 8(8)–25(19): COMMANDS
Event 26(1A): APPCLU
Event 27(1B): GENERAL AUDITING
Event 28(1C)–58(3A): z/OS UNIX EVENT TYPES
Event 59(3B): RACLINK EVENT TYPES
Event 60(3C)–62(3E): z/OS UNIX XPG4 EVENT TYPES
Event 63(3F): z/OS UNIX SETGROUPS EVENT TYPE
Event 64(40): X/OPEN SINGLE UNIX SPECIFICATION EVENT TYPES
Event 65(41): z/OS UNIX PASSING OF ACCESS RIGHTS EVENT TYPES
Event 66(42)–67(43): CERTIFICATE EVENT TYPES
Event 68(44): GRANT OF INITIAL KERBEROS TICKET
Event 69(45): R_PKIServ GENCERT
Event 70(46): R_PKIServ EXPORT
Event 71(47): POLICY DIRECTOR ACCESS CONTROL DECISION
Event 72(48): R_PKIServ QUERY
Event 73(49): R_PKIServ UPDATEREQ
Event 74(4A): R_PKIServ UPDATECERT
Event 75(4B): CHANGE FILE ACL
Event 76(4C): REMOVE FILE ACL
Event 77(4D): SET FILE SECURITY LABEL
Event 78(4E): SET WRITE-DOWN PRIVILEGE
Event 79(4F): CRL PUBLICATION
Event 80(50): R_PKIServ RESPOND
Event 81(51): PassTicket Evaluation
Event 82(52): PassTicket Generation
Event 83(53): R_PKIServ SCEPREQ
Event 84(54): R_Datalib RDATAUPD
Event 85(55): PKIAURNW
Event 86(56): R_PgmSignVer
Event 87(57): RACMAP
Event 88(58): AUTOPROF
Event 89(59): RPKIQREC
Audit function codes for z/OS UNIX System Services
The data security monitor (DSMON)
The RACF report writer
Sample reports
Merging SMF records produced by RACF for z/VM with SMF records produced by RACF for MVS
XML Schema