Auditing for superuser authority in the UNIXPRIV class

If you use profiles in the UNIXPRIV class to control superuser authorities, you can use the same profiles for auditing.

UNIXPRIV
Controls auditing of superuser authorities:
Audit event type:
2
RACF® callable services:
ck_access, ck_owner_two_files, ck_priv, ck_process_owner, R_chown, R_IPC_ctl, R_ptrace, R_chmod
z/OS UNIX services:
chmod, chmount, chmountsetuid, chown, getpsent, kill, link, mkdir, mount, mountsetuid, nice, open, opendir, pfsctl, ptrace, quiesce, quiescesetu, readlink, realpath, rename, rmdir, setpriority, shmmcv, stat, symlink, unlink, unmount, unmountsetu, unquiesce, unquiescesu, vregister

RACF logs successful attempts to use superuser authorities. If you want to check the use of superuser authority for specific resources, you can audit successful uses of the UNIXPRIV profiles. RACF logs failed attempts to use SHARED.IDS in the UNIXPRIV class. For other UNIXPRIV resources, no audit record is written to show authorization failures in the UNIXPRIV class.

For example, to audit the successful uses of the kill() function, granted by the SUPERUSER.PROCESS.KILL profile, set the audit options as follows: 
RALTER UNIXPRIV SUPERUSER.PROCESS.KILL AUDIT(SUCCESS(READ))

LOG=NOFAIL is specified on all authorization checks in the UNIXPRIV class, except for SHARED.IDS. Therefore, RACF does not log failures, even when you specify AUDIT(FAILURES) or AUDIT(ALL) in the profile. RACF also ignores any SETROPTS LOGOPTIONS settings in the UNIXPRIV class because the RACROUTE REQUEST=FASTAUTH request performs all authorization checks in that class.

It is possible to see multiple audit records for the same operation, as described in the following example:

  1. You are auditing successful uses of the SUPERUSER.PROCESS.KILL profile.
  2. You also issued the SETROPTS LOGOPTIONS(SUCCESSES(PROCACT)) command to audit success in the PROCACT class.
    Note: This is not recommended because of the large number of audit records it could produce.
  3. User LAURIE has UID 40 and READ access to the SUPERUSER.PROCESS.KILL profile in the UNIXPRIV class.
  4. User LAURIE issued the kill() function for another user's process.
The kill() function succeeds and RACF writes two audit records as a result of:
  • Auditing for the PROCACT class
  • A RACROUTE REQUEST=FASTAUTH call in the UNIXPRIV class

For more information about the UNIXPRIV class, see z/OS Security Server RACF Security Administrator's Guide.