|
Each of the classes controls auditing for z/OS UNIX System Services in a
particular way. The descriptions that follow define the type of auditing
each class controls and include: - The audit event types that it controls
- The RACF® callable services
that write the audit record
- The z/OS UNIX services
that can cause the event
The classes are: - DIRSRCH
- Controls auditing of directory searches:
- Audit event type:
- 28
- RACF callable service:
- ck_access
- z/OS UNIX services:
- chaudit, chdir, chmod, chmount, chmountsetuid, chown, getcwd,
ioctl, lstat, link, mkdir, mknod, mount, mountsetuid, open, opendir,
pathconf, readlink, rename, rmdir, stat, symlink, ttyname, unlink,
unmount, unmountsetu, utime, chattr, vsetattr, vcreate, vmakedir,
vlink, vremovdir, vremove, vrename, vsymlink, vresolvepn, vlookup,
exec (indirectly using an open)
- DIRACC
- Controls auditing for access checks for read/write access to directories:
- Audit event types:
- 29, 64
- RACF callable service:
- ck_access, ck_owner_two_files
- z/OS UNIX services:
- chmount, chmountsetuid, getcwd, ioctl, link, mkdir, mknod, mount,
mountsetuid, open(new file), open(a directory), opendir, remove, rename,
rmdir, symlink, ttyname, unlink, unmount, unmountsetu, vlink, vmakedir,
vcreate, vrename, vremovedir, vsymlink, vremove, vreaddir, utime (a directory)
- FSOBJ
- Controls auditing for all access checks for file system objects
except directory searches using SETROPTS LOGOPTIONS and controls auditing
of creation and deletion of file system objects using SETROPTS AUDIT
(see note below).
For object access: - Audit event types:
- 30, 56
- RACF callable service:
- ck_access
- z/OS UNIX services:
- link, vlink, open, quiescesetu, unquiescesu, vreadwrite, utime,
quiesce, unquiesce, exec (indirectly using an open)
For object create and delete or name change:
- Audit event types:
- 32, 41, 42, 43, 44, 45, 47, 48, 53, 54, 55, 64
- RACF callable service:
- ck_owner_two_files, ckpriv, makeFSP, R_audit
- z/OS UNIX services:
- chdir, chmount, chmountsetuid, link, mkdir, mknod, mount, mountsetuid,
open(new file), remove, rename, rmdir, symlink, unlink, unmount, unmountsetu,
vlink, vmakedir, vcreate, vremove, vremovedir, vrename, vsymlink
Note: Chdir,
symlink, and vsymlink are included to make it possible to re-create
from the audit records the full path name you are using when accessing
files. Services other than those listed above are audited with audit
event type 42 or 43.
- FSSEC
- Controls auditing for changes to the security data (FSP and ACL)
for file system objects:
- Audit event types:
- 31, 33, 34, 35, 75, 76, 77
- RACF callable services:
- R_chaudit, R_chmod, R_chown, clear_setid, R_setfacl, R_setfsecl
- z/OS UNIX services:
- chaudit, chmod, chown, fchaudit, fchmod, fchown, write, chattr,
fchattr, setfacl, vsetattr, vreadwrite
Note: Event type 75, SETFACL,
has a separate audit record created for each ACL entry which is added,
modified, or deleted.
- IPCOBJ
- Specifies auditing options for IPC accesses. For access control
and for z/OS® UNIX user identifier (UID), z/OS UNIX group
identifier (GID), and mode changes, use SETROPTS LOGOPTIONS. For
object create and delete, use SETROPTS AUDIT (see note below).
For
access control or UID, GID, or mode changes: - Audit event types:
- 60, 62
- RACF callable services:
- ck_IPC_access, R_IPC_ctl
- z/OS UNIX services:
- msgctl, msgget, msgsnd, msgrcv, semctl, semget, semop, shmat,
shmctl, shmget, w_getipc
For object create and delete or for remove
ID: - Audit event types:
- 61, 62
- RACF callable services:
- makeISP, R_IPC_ctl
- z/OS UNIX services:
- msgctl, msgget, semctl, semget, shmctl, shmget
- PROCESS
- Controls auditing of changes to the UIDs and GIDs of processes
and changing of the Osigset action, thread limit, and other privileged
operations using the SETROPTS LOGOPTIONS, and controls auditing of
dubbing, undubbing, and server registration of processes using SETROPTS
AUDIT (see note below).
For UID/GID, Osigset and thread limit
changes, and other privileged operations: - Audit event types:
- 36, 49, 50, 51, 52, 57, 63
- RACF callable services:
- R_exec, R_setuid, R_setgid, R_seteuid, R_setegid, ck_priv
- z/OS UNIX services:
- _console, exec, __login, server_init, setuid, setgid, seteuid,
setegid, shutdown_reg, sigaction, spawn, swap services, thlmt, WLMC
For process dubbing, undubbing, and registration:
- Audit event types:
- 38, 39, 57
Note: Unsuccessful process dubs (38 events) are always
audited.
- RACF callable services:
- initUSP, delete_USP, ck_priv
- z/OS UNIX services:
- first syscall for a process, dub, _exit, undub, vregister
- PROCACT
- Controls auditing of functions that look at data from or effect
other processes:
- Audit event types:
- 37, 40, 46, 58, 65
- RACF callable services:
- ck_process_owner, R_ptrace
- z/OS UNIX services:
- getpsent, kill, ptrace, recv, recvmsg, sendmsg
Audit records are written for getpsent only during
the following configuration: SETROPTS LOGOPTIONS (ALWAYS).
Note about using SETROPTS AUDIT: For the services listed whose
auditing is controlled by SETROPTS AUDIT, all successful requests
are audited. Failures for these services are audited by the authority
check that actually failed (for example, an access check to a FACILITY
class profile, or an access check controlled by the FSOBJ or DIRACC
classes). To audit these, use LOGOPTIONS(FAILURES) for the appropriate
classes.
|