audispd-zos-remote(8)

1AUDISP-RACF(8)          System Administration Utilities         AUDISP-RACF(8)
2
3
4

NAME

6       audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin
7

SYNOPSIS

9       audispd-zos-remote [ config-file ]
10

DESCRIPTION

12       audispd-zos-remote is a remote-auditing plugin for the Audit subsystem.
13       It should be started by the  auditd(8)  daemon  and  will  forward  all
14       incoming  audit  events, as they happen, to a configured z/OS SMF (Ser‐
15       vice Management Facility) database, through  an  IBM  Tivoli  Directory
16       Server  (ITDS)  set  for Remote Audit service.  See SMF MAPPING section
17       below for more information about the resulting SMF record format.
18
19       auditd(8) must be configured to start the plugin. This  is  done  by  a
20       configuration   file   usually   located  at  /etc/audit/plugins.d/aud‐
21       ispd-zos-remote.conf, but multiple instances can be spawned  by  having
22       multiple configuration files in /etc/audit/plugins.d for the same plug‐
23       in executable (see auditd(8)).
24
25       Each instance  needs  a  configuration  file,  located  by  default  at
26       /etc/audit/zos-remote.conf.  Check zos-remote.conf(5) for details about
27       the plugin configuration.
28
29

OPTIONS

31       config-file
32              Use    an    alternate    configuration    file    instead    of
33              /etc/audit/zos-remote.conf.
34
35

SIGNALS

37       audispd-zos-remote  reacts  to SIGTERM and SIGHUP signals (according to
38       the auditd(8) specification):
39
40       SIGHUP Instructs the audispd-zos-remote plugin to re-read it's configu‐
41              ration and flush existing network connections.
42
43       SIGTERM
44              Performs  a  clean  exit.  audispd-zos-remote will wait up to 10
45              seconds if there are queued events to be delivered, dropping any
46              remaining queued events after that time.
47
48

IBM z/OS ITDS Server and RACF configuration

50       In order to use this plugin, you must have an IBM z/OS v1R8 (or higher)
51       server with IBM Tivoli Directory Server (ITDS)  configured  for  Remote
52       Audit service. For more detailed information about how to configure the
53       z/OS server for Remote Auditing, refer to z/OS  V1R8.0-9.0  Intergrated
54       Security Services Enterprise Identity Mapping (EIM) Guide and Reference
55       (http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119),
56       chapter "2.0 - Working with remote services".
57
58
59   Enable ITDS to process Remote Audit requests
60       To enable ITSD to process Remote Audit requests, the user ID associated
61       with ITDS must be granted READ access to the IRR.AUDITX FACILITY  Class
62       profile  (the  profile used to protect the R_Auditx service). This user
63       ID can usually be found in the  STARTED  Class  profile  for  the  ITDS
64       started  procedure.  If  the identity associated with ITDS is ITDSUSER,
65       the administrator can configure RACF to grant Remote Auditing  process‐
66       ing to ITDS with the following TSO commands:
67
68       TSO  Commands:  Grant ITDSUSER READ access to IRR.AUDITX FACILITY Class
69       profile
70              rdefine FACILITY IRR.RAUDITX uacc(none)
71              permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)
72
73
74   Create/enable RACF user ID to perform Remote Audit requests
75       A z/OS RACF user ID is needed by the plugin - Every Audit request  per‐
76       formed  by  the  plugin  will  use a RACF user ID, as configured in the
77       plugin configuration  zos-remote.conf(5).   This  user  ID  needs  READ
78       access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If the user ID
79       is BINDUSER, the administrator can configure RACF to enable  this  user
80       to perform Remote Auditing requests with the following TSO commands:
81
82       TSO Commands: Enable BINDUSER to perform Remote Audit requests
83              rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
84              permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)
85
86
87   Add @LINUX Class to RACF
88       When performing remote auditing requests, the audispd-zos-remote plugin
89       will use the special @LINUX CDT Class and the audit record  type  (eg.:
90       SYSCALL,  AVC,  PATH...)  as the CDT Resource Class for all events pro‐
91       cessed.  To make sure events are logged, the RACF server must  be  con‐
92       figured  with  a  Dynamic CDT Class named @LINUX with correct sizes and
93       attributes. The following TSO commands can be used to add this class:
94
95       TSO Commands: Add @LINUX CDT Class
96              rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
97              setr classact(cdt)
98              setr raclist(cdt)
99              setr raclist(cdt) refresh
100              setr classact(@LINUX)
101              setr raclist(@LINUX)
102              setr generic(@LINUX)
103
104
105   Add profiles to the @LINUX Class
106       Once the CDT Class has been defined, you can add profiles to it, speci‐
107       fying resources (wildcards allowed) to log or ignore. The following are
108       examples:
109
110       TSO Commands: Log only AVC records (One generic and one  discrete  pro‐
111       file):
112              rdefine @LINUX * uacc(none) audit(none(read))
113              rdefine @LINUX AVC uacc(none) audit(all(read))
114              setr raclist(@LINUX) refresh
115
116
117       TSO Commands: Log everything (One generic profile):
118              rdefine @LINUX * uacc(none) audit(all(read))
119              setr raclist(@LINUX) refresh
120
121
122       Resources always match the single profile with the best match.
123
124       There  are  many  other ways to define logging in RACF. Please refer to
125       the server documentation for more details.
126
127

SMF Mapping

129       The ITDS Remote Audit service will cut SMF records of type 83 subtype 4
130       every  time  it  processes  a  request. This plugin will issue a remote
131       audit request for every incoming Linux Audit record (meaning  that  one
132       Linux  record will map to one SMF record), and fill this type's records
133       with the following:
134
135   Link Value
136       The Linux event serial number, encoded in network-byte order  hexadeci‐
137       mal  representation.  Records within the same Event share the same Link
138       Value.
139
140   Violation
141       Always zero (0) - False
142
143   Event Code
144       Always two (2) - Authorization event
145
146   Event Qualifier
147       Zero (0) - Success, if the event reported success=yes  or  res=success,
148       Three  (3)  -  Fail, if the event reported success=no or res=failed, or
149       One (1) - Info otherwise.
150
151   Class
152       Always @LINUX
153
154   Resource
155       The   Linux   record   type   for   the   processed    record.    e.g.:
156       SYSCALL,AVC,PATH,CWD etc.
157
158   Log String
159       Textual  message bringing the RACF user ID used to perform the request,
160       plus the Linux hostname and the record type for the first record in the
161       processed event. e.g.: Remote audit request from RACFUSER. Linux (host‐
162       name.localdomain):USER_AUTH
163
164   Data Field List
165       Also known as relocates, this list will bring all the field  names  and
166       values  in a fieldname=value format, as a type 114 (Appication specific
167       Data) relocate. The plug-in will try to interpret those  fields  (i.e.:
168       use  human-readable username root instead of numeric userid 0) whenever
169       possible. Currently, this plugin will also  add  a  relocate  type  113
170       (Date And Time Security Event Occurred) with the Event Timestamp in the
171       format as returned by ctime(3).
172
173

ERRORS

175       Errors and warnings are reported to syslog (under DAEMON facility).  In
176       situations  where  the event was submitted but the z/OS server returned
177       an error condition, the logged message brings  a  name  followed  by  a
178       human-readable description. Below are some common errors conditions:
179
180
181       NOTREQ - No logging required
182              Resource (audit record type) is not set to be logged in the RACF
183              server - The @LINUX Class profile governing  this  audit  record
184              type is set to ignore. See IBM z/OS RACF Server configuration
185
186       UNDETERMINED - Undetermined result
187              No  profile  found  for  specified  resource. There is no @LINUX
188              Class configured or no @LINUX Class profile associated with this
189              audit record type. See IBM z/OS RACF Server configuration
190
191       UNAUTHORIZED - The user does not have authority the R_auditx service
192              The user ID associated with the ITDS doesn't have READ access to
193              the IRR.AUDITX FACILITY Class profile. See IBM z/OS RACF  Server
194              configuration
195
196       UNSUF_AUTH - The user has unsuficient authority for the requested func‐
197       tion
198              The RACF user ID used to perform Remote Audit requests (as  con‐
199              figured   in   zos-remote.conf(5))  don't  have  access  to  the
200              IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See IBM z/OS  RACF
201              Server configuration
202
203

BUGS

205       The  plugin  currently does remote auditing in a best-effort basis, and
206       will dischard events in case the z/OS server cannot be contacted  (net‐
207       work failures) or in any other case that event submission fails.
208
209

FILES

211       /etc/audit/plugins.d/audispd-zos-remote.conf /etc/audit/zos-remote.conf
212

AUTHOR

217       Klaus Heinrich Kiwi <klausk@br.ibm.com>
218
219
220
221IBM                                Oct 2007                     AUDISP-RACF(8)