1AUDISP-RACF(8) System Administration Utilities AUDISP-RACF(8)
2
3
4
6 audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin
7
9 audispd-zos-remote [ config-file ]
10
12 audispd-zos-remote is a remote-auditing plugin for the Audit subsystem.
13 It should be started by the auditd(8) daemon and will forward all
14 incoming audit events, as they happen, to a configured z/OS SMF (Ser‐
15 vice Management Facility) database, through an IBM Tivoli Directory
16 Server (ITDS) set for Remote Audit service. See SMF MAPPING section
17 below for more information about the resulting SMF record format.
18
19 auditd(8) must be configured to start the plugin. This is done by a
20 configuration file usually located at /etc/audit/plugins.d/aud‐
21 ispd-zos-remote.conf, but multiple instances can be spawned by having
22 multiple configuration files in /etc/audit/plugins.d for the same plug‐
23 in executable (see auditd(8)).
24
25 Each instance needs a configuration file, located by default at
26 /etc/audit/zos-remote.conf. Check zos-remote.conf(5) for details about
27 the plugin configuration.
28
29
31 config-file
32 Use an alternate configuration file instead of
33 /etc/audit/zos-remote.conf.
34
35
37 audispd-zos-remote reacts to SIGTERM and SIGHUP signals (according to
38 the auditd(8) specification):
39
40 SIGHUP Instructs the audispd-zos-remote plugin to re-read it's configu‐
41 ration and flush existing network connections.
42
43 SIGTERM
44 Performs a clean exit. audispd-zos-remote will wait up to 10
45 seconds if there are queued events to be delivered, dropping any
46 remaining queued events after that time.
47
48
50 In order to use this plugin, you must have an IBM z/OS v1R8 (or higher)
51 server with IBM Tivoli Directory Server (ITDS) configured for Remote
52 Audit service. For more detailed information about how to configure the
53 z/OS server for Remote Auditing, refer to z/OS V1R8.0-9.0 Intergrated
54 Security Services Enterprise Identity Mapping (EIM) Guide and Reference
55 (http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119),
56 chapter "2.0 - Working with remote services".
57
58
59 Enable ITDS to process Remote Audit requests
60 To enable ITSD to process Remote Audit requests, the user ID associated
61 with ITDS must be granted READ access to the IRR.AUDITX FACILITY Class
62 profile (the profile used to protect the R_Auditx service). This user
63 ID can usually be found in the STARTED Class profile for the ITDS
64 started procedure. If the identity associated with ITDS is ITDSUSER,
65 the administrator can configure RACF to grant Remote Auditing process‐
66 ing to ITDS with the following TSO commands:
67
68 TSO Commands: Grant ITDSUSER READ access to IRR.AUDITX FACILITY Class
69 profile
70 rdefine FACILITY IRR.RAUDITX uacc(none)
71 permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)
72
73
74 Create/enable RACF user ID to perform Remote Audit requests
75 A z/OS RACF user ID is needed by the plugin - Every Audit request per‐
76 formed by the plugin will use a RACF user ID, as configured in the
77 plugin configuration zos-remote.conf(5). This user ID needs READ
78 access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If the user ID
79 is BINDUSER, the administrator can configure RACF to enable this user
80 to perform Remote Auditing requests with the following TSO commands:
81
82 TSO Commands: Enable BINDUSER to perform Remote Audit requests
83 rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
84 permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)
85
86
87 Add @LINUX Class to RACF
88 When performing remote auditing requests, the audispd-zos-remote plugin
89 will use the special @LINUX CDT Class and the audit record type (eg.:
90 SYSCALL, AVC, PATH...) as the CDT Resource Class for all events pro‐
91 cessed. To make sure events are logged, the RACF server must be con‐
92 figured with a Dynamic CDT Class named @LINUX with correct sizes and
93 attributes. The following TSO commands can be used to add this class:
94
95 TSO Commands: Add @LINUX CDT Class
96 rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
97 setr classact(cdt)
98 setr raclist(cdt)
99 setr raclist(cdt) refresh
100 setr classact(@LINUX)
101 setr raclist(@LINUX)
102 setr generic(@LINUX)
103
104
105 Add profiles to the @LINUX Class
106 Once the CDT Class has been defined, you can add profiles to it, speci‐
107 fying resources (wildcards allowed) to log or ignore. The following are
108 examples:
109
110 TSO Commands: Log only AVC records (One generic and one discrete pro‐
111 file):
112 rdefine @LINUX * uacc(none) audit(none(read))
113 rdefine @LINUX AVC uacc(none) audit(all(read))
114 setr raclist(@LINUX) refresh
115
116
117 TSO Commands: Log everything (One generic profile):
118 rdefine @LINUX * uacc(none) audit(all(read))
119 setr raclist(@LINUX) refresh
120
121
122 Resources always match the single profile with the best match.
123
124 There are many other ways to define logging in RACF. Please refer to
125 the server documentation for more details.
126
127
129 The ITDS Remote Audit service will cut SMF records of type 83 subtype 4
130 every time it processes a request. This plugin will issue a remote
131 audit request for every incoming Linux Audit record (meaning that one
132 Linux record will map to one SMF record), and fill this type's records
133 with the following:
134
135 Link Value
136 The Linux event serial number, encoded in network-byte order hexadeci‐
137 mal representation. Records within the same Event share the same Link
138 Value.
139
140 Violation
141 Always zero (0) - False
142
143 Event Code
144 Always two (2) - Authorization event
145
146 Event Qualifier
147 Zero (0) - Success, if the event reported success=yes or res=success,
148 Three (3) - Fail, if the event reported success=no or res=failed, or
149 One (1) - Info otherwise.
150
151 Class
152 Always @LINUX
153
154 Resource
155 The Linux record type for the processed record. e.g.:
156 SYSCALL,AVC,PATH,CWD etc.
157
158 Log String
159 Textual message bringing the RACF user ID used to perform the request,
160 plus the Linux hostname and the record type for the first record in the
161 processed event. e.g.: Remote audit request from RACFUSER. Linux (host‐
162 name.localdomain):USER_AUTH
163
164 Data Field List
165 Also known as relocates, this list will bring all the field names and
166 values in a fieldname=value format, as a type 114 (Appication specific
167 Data) relocate. The plug-in will try to interpret those fields (i.e.:
168 use human-readable username root instead of numeric userid 0) whenever
169 possible. Currently, this plugin will also add a relocate type 113
170 (Date And Time Security Event Occurred) with the Event Timestamp in the
171 format as returned by ctime(3).
172
173
175 Errors and warnings are reported to syslog (under DAEMON facility). In
176 situations where the event was submitted but the z/OS server returned
177 an error condition, the logged message brings a name followed by a
178 human-readable description. Below are some common errors conditions:
179
180
181 NOTREQ - No logging required
182 Resource (audit record type) is not set to be logged in the RACF
183 server - The @LINUX Class profile governing this audit record
184 type is set to ignore. See IBM z/OS RACF Server configuration
185
186 UNDETERMINED - Undetermined result
187 No profile found for specified resource. There is no @LINUX
188 Class configured or no @LINUX Class profile associated with this
189 audit record type. See IBM z/OS RACF Server configuration
190
191 UNAUTHORIZED - The user does not have authority the R_auditx service
192 The user ID associated with the ITDS doesn't have READ access to
193 the IRR.AUDITX FACILITY Class profile. See IBM z/OS RACF Server
194 configuration
195
196 UNSUF_AUTH - The user has unsuficient authority for the requested func‐
197 tion
198 The RACF user ID used to perform Remote Audit requests (as con‐
199 figured in zos-remote.conf(5)) don't have access to the
200 IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See IBM z/OS RACF
201 Server configuration
202
203
205 The plugin currently does remote auditing in a best-effort basis, and
206 will dischard events in case the z/OS server cannot be contacted (net‐
207 work failures) or in any other case that event submission fails.
208
209
211 /etc/audit/plugins.d/audispd-zos-remote.conf /etc/audit/zos-remote.conf
212
214 auditd(8), zos-remote.conf(5).
215
217 Klaus Heinrich Kiwi <klausk@br.ibm.com>
218
219
220
221IBM Oct 2007 AUDISP-RACF(8)