Auditing for superuser authority in the UNIXPRIV class
If you use profiles in the UNIXPRIV class to control superuser authorities, you can use the same profiles for auditing.
- UNIXPRIV
- Controls auditing of superuser authorities:
- Audit event type:
- 2
- RACF® callable services:
- ck_access, ck_owner_two_files, ck_priv, ck_process_owner, R_chown, R_IPC_ctl, R_ptrace, R_chmod
- z/OS UNIX services:
- chmod, chmount, chmountsetuid, chown, getpsent, kill, link, mkdir, mount, mountsetuid, nice, open, opendir, pfsctl, ptrace, quiesce, quiescesetu, readlink, realpath, rename, rmdir, setpriority, shmmcv, stat, symlink, unlink, unmount, unmountsetu, unquiesce, unquiescesu, vregister
RACF logs successful attempts to use superuser authorities. If you want to check the use of superuser authority for specific resources, you can audit successful uses of the UNIXPRIV profiles. RACF logs failed attempts to use SHARED.IDS in the UNIXPRIV class. For other UNIXPRIV resources, no audit record is written to show authorization failures in the UNIXPRIV class.
kill()
function,
granted by the SUPERUSER.PROCESS.KILL
profile, set
the audit options as follows: RALTER UNIXPRIV SUPERUSER.PROCESS.KILL AUDIT(SUCCESS(READ))
LOG=NOFAIL is specified on all authorization checks in the UNIXPRIV class, except for SHARED.IDS. Therefore, RACF does not log failures, even when you specify AUDIT(FAILURES) or AUDIT(ALL) in the profile. RACF also ignores any SETROPTS LOGOPTIONS settings in the UNIXPRIV class because the RACROUTE REQUEST=FASTAUTH request performs all authorization checks in that class.
It is possible to see multiple audit records for the same operation, as described in the following example:
- You are auditing successful uses of the
SUPERUSER.PROCESS.KILL
profile. - You also issued the
SETROPTS LOGOPTIONS(SUCCESSES(PROCACT))
command to audit success in the PROCACT class.Note: This is not recommended because of the large number of audit records it could produce. - User LAURIE has UID 40 and READ access to the
SUPERUSER.PROCESS.KILL
profile in the UNIXPRIV class. - User LAURIE issued the
kill()
function for another user's process.
kill()
function succeeds and RACF writes two audit records as a result of: - Auditing for the PROCACT class
- A RACROUTE REQUEST=FASTAUTH call in the UNIXPRIV class
For more information about the UNIXPRIV class, see z/OS Security Server RACF Security Administrator's Guide.