z/OS Security Server RACF Auditor's Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Classes that control auditing for z/OS UNIX System Services

z/OS Security Server RACF Auditor's Guide
SA23-2290-00

Each of the classes controls auditing for z/OS UNIX System Services in a particular way. The descriptions that follow define the type of auditing each class controls and include:
  • The audit event types that it controls
  • The RACF® callable services that write the audit record
  • The z/OS UNIX services that can cause the event
The classes are:
DIRSRCH
Controls auditing of directory searches:
Audit event type:
28
RACF callable service:
ck_access
z/OS UNIX services:
chaudit, chdir, chmod, chmount, chmountsetuid, chown, getcwd, ioctl, lstat, link, mkdir, mknod, mount, mountsetuid, open, opendir, pathconf, readlink, rename, rmdir, stat, symlink, ttyname, unlink, unmount, unmountsetu, utime, chattr, vsetattr, vcreate, vmakedir, vlink, vremovdir, vremove, vrename, vsymlink, vresolvepn, vlookup, exec (indirectly using an open)
DIRACC
Controls auditing for access checks for read/write access to directories:
Audit event types:
29, 64
RACF callable service:
ck_access, ck_owner_two_files
z/OS UNIX services:
chmount, chmountsetuid, getcwd, ioctl, link, mkdir, mknod, mount, mountsetuid, open(new file), open(a directory), opendir, remove, rename, rmdir, symlink, ttyname, unlink, unmount, unmountsetu, vlink, vmakedir, vcreate, vrename, vremovedir, vsymlink, vremove, vreaddir, utime (a directory)
FSOBJ
Controls auditing for all access checks for file system objects except directory searches using SETROPTS LOGOPTIONS and controls auditing of creation and deletion of file system objects using SETROPTS AUDIT (see note below).
For object access:
Audit event types:
30, 56
RACF callable service:
ck_access
z/OS UNIX services:
link, vlink, open, quiescesetu, unquiescesu, vreadwrite, utime, quiesce, unquiesce, exec (indirectly using an open)
For object create and delete or name change:
Audit event types:
32, 41, 42, 43, 44, 45, 47, 48, 53, 54, 55, 64
RACF callable service:
ck_owner_two_files, ckpriv, makeFSP, R_audit
z/OS UNIX services:
chdir, chmount, chmountsetuid, link, mkdir, mknod, mount, mountsetuid, open(new file), remove, rename, rmdir, symlink, unlink, unmount, unmountsetu, vlink, vmakedir, vcreate, vremove, vremovedir, vrename, vsymlink
Note: Chdir, symlink, and vsymlink are included to make it possible to re-create from the audit records the full path name you are using when accessing files. Services other than those listed above are audited with audit event type 42 or 43.
FSSEC
Controls auditing for changes to the security data (FSP and ACL) for file system objects:
Audit event types:
31, 33, 34, 35, 75, 76, 77
RACF callable services:
R_chaudit, R_chmod, R_chown, clear_setid, R_setfacl, R_setfsecl
z/OS UNIX services:
chaudit, chmod, chown, fchaudit, fchmod, fchown, write, chattr, fchattr, setfacl, vsetattr, vreadwrite
Note: Event type 75, SETFACL, has a separate audit record created for each ACL entry which is added, modified, or deleted.
IPCOBJ
Specifies auditing options for IPC accesses. For access control and for z/OS® UNIX user identifier (UID), z/OS UNIX group identifier (GID), and mode changes, use SETROPTS LOGOPTIONS. For object create and delete, use SETROPTS AUDIT (see note below).
For access control or UID, GID, or mode changes:
Audit event types:
60, 62
RACF callable services:
ck_IPC_access, R_IPC_ctl
z/OS UNIX services:
msgctl, msgget, msgsnd, msgrcv, semctl, semget, semop, shmat, shmctl, shmget, w_getipc
For object create and delete or for remove ID:
Audit event types:
61, 62
RACF callable services:
makeISP, R_IPC_ctl
z/OS UNIX services:
msgctl, msgget, semctl, semget, shmctl, shmget
PROCESS
Controls auditing of changes to the UIDs and GIDs of processes and changing of the Osigset action, thread limit, and other privileged operations using the SETROPTS LOGOPTIONS, and controls auditing of dubbing, undubbing, and server registration of processes using SETROPTS AUDIT (see note below).
For UID/GID, Osigset and thread limit changes, and other privileged operations:
Audit event types:
36, 49, 50, 51, 52, 57, 63
RACF callable services:
R_exec, R_setuid, R_setgid, R_seteuid, R_setegid, ck_priv
z/OS UNIX services:
_console, exec, __login, server_init, setuid, setgid, seteuid, setegid, shutdown_reg, sigaction, spawn, swap services, thlmt, WLMC
For process dubbing, undubbing, and registration:
Audit event types:
38, 39, 57
Note: Unsuccessful process dubs (38 events) are always audited.
RACF callable services:
initUSP, delete_USP, ck_priv
z/OS UNIX services:
first syscall for a process, dub, _exit, undub, vregister
PROCACT
Controls auditing of functions that look at data from or effect other processes:
Audit event types:
37, 40, 46, 58, 65
RACF callable services:
ck_process_owner, R_ptrace
z/OS UNIX services:
getpsent, kill, ptrace, recv, recvmsg, sendmsg

Audit records are written for getpsent only during the following configuration: SETROPTS LOGOPTIONS (ALWAYS).

Note about using SETROPTS AUDIT: For the services listed whose auditing is controlled by SETROPTS AUDIT, all successful requests are audited. Failures for these services are audited by the authority check that actually failed (for example, an access check to a FACILITY class profile, or an access check controlled by the FSOBJ or DIRACC classes). To audit these, use LOGOPTIONS(FAILURES) for the appropriate classes.

Parent topic: Auditing for z/OS UNIX System Services

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014