Auditing for z/OS UNIX System Services
RACF® writes audit records
for the z/OS UNIX System Services auditable
events in SMF type 80 records. The following classes are defined
to control auditing:
- DIRSRCH
- DIRACC
- FSOBJ
- FSSEC
- IPCOBJ
- PROCESS
- PROCACT
Audit records are always written for security decisions made during RACF callable services involving resources in these z/OS® UNIX classes when the user has the UAUDIT attribute, regardless of the LOGOPTIONS and AUDIT settings.
In addition, audit records are always written, and there is no option to turn them off, when one
of the following conditions occurs:
- A user who is not defined as a z/OS UNIX System Services user tries to dub a process
- An unauthorized user tries to mount or unmount a file system
You can use profiles in the UNIXPRIV class to audit certain superuser functions. For more information about this z/OS UNIX System Services class, see Auditing for superuser authority in the UNIXPRIV class.