audispd-zos-remote(8)

1AUDISPD-ZOS-REMOTE(8)   System Administration Utilities  AUDISPD-ZOS-REMOTE(8)
2
3
4

NAME

6       audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin
7

SYNOPSIS

9       audispd-zos-remote [ config-file ]
10

DESCRIPTION

12       audispd-zos-remote is a remote-auditing plugin for the Audit subsystem.
13       It should be started by the auditd(8) daemon and will forward  all  in‐
14       coming  audit events, as they happen, to a configured z/OS SMF (Service
15       Management Facility) database, through an IBM Tivoli  Directory  Server
16       (ITDS) set for Remote Audit service.  See SMF MAPPING section below for
17       more information about the resulting SMF record format.
18
19       auditd(8) must be configured to start the plugin. This  is  done  by  a
20       configuration   file   usually   located  at  /etc/audit/plugins.d/aud‐
21       ispd-zos-remote.conf, but multiple instances can be spawned  by  having
22       multiple  configuration  files  in  /etc/audit/plugins.d  for  the same
23       plugin executable (see auditd(8)).
24
25       Each instance  needs  a  configuration  file,  located  by  default  at
26       /etc/audit/zos-remote.conf.  Check zos-remote.conf(5) for details about
27       the plugin configuration.
28
29

OPTIONS

31       config-file
32              Use  an  alternate  configuration  file  instead   of   /etc/au‐
33              dit/zos-remote.conf.
34
35

SIGNALS

37       audispd-zos-remote  reacts  to SIGTERM and SIGHUP signals (according to
38       the auditd(8) specification):
39
40       SIGHUP Instructs the audispd-zos-remote plugin to re-read it's configu‐
41              ration and flush existing network connections.
42
43       SIGTERM
44              Performs  a  clean  exit.  audispd-zos-remote will wait up to 10
45              seconds if there are queued events to be delivered, dropping any
46              remaining queued events after that time.
47
48

IBM z/OS ITDS Server and RACF configuration

50       In order to use this plugin, you must have an IBM z/OS v1R8 (or higher)
51       server with IBM Tivoli Directory Server (ITDS)  configured  for  Remote
52       Audit service. For more detailed information about how to configure the
53       z/OS server for Remote Auditing, refer to  z/OS  V1R8.0-9.0  Integrated
54       Security Services Enterprise Identity Mapping (EIM) Guide and Reference
55       (http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119),
56       chapter "2.0 - Working with remote services".
57
58
59   Enable ITDS to process Remote Audit requests
60       To enable ITSD to process Remote Audit requests, the user ID associated
61       with ITDS must be granted READ access to the IRR.AUDITX FACILITY  Class
62       profile  (the  profile used to protect the R_Auditx service). This user
63       ID can usually be found in the  STARTED  Class  profile  for  the  ITDS
64       started  procedure.  If  the identity associated with ITDS is ITDSUSER,
65       the administrator can configure RACF to grant Remote Auditing  process‐
66       ing to ITDS with the following TSO commands:
67
68       TSO  Commands:  Grant ITDSUSER READ access to IRR.AUDITX FACILITY Class
69       profile
70              rdefine FACILITY IRR.RAUDITX uacc(none)
71              permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)
72
73
74   Create/enable RACF user ID to perform Remote Audit requests
75       A z/OS RACF user ID is needed by the plugin - Every Audit request  per‐
76       formed  by  the  plugin  will  use a RACF user ID, as configured in the
77       plugin configuration zos-remote.conf(5).  This user ID needs  READ  ac‐
78       cess  to  FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If the user ID
79       is BINDUSER, the administrator can configure RACF to enable  this  user
80       to perform Remote Auditing requests with the following TSO commands:
81
82       TSO Commands: Enable BINDUSER to perform Remote Audit requests
83              rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
84              permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)
85
86
87   Add @LINUX Class to RACF
88       When performing remote auditing requests, the audispd-zos-remote plugin
89       will use the special @LINUX CDT Class and the audit record  type  (eg.:
90       SYSCALL,  AVC,  PATH...)  as the CDT Resource Class for all events pro‐
91       cessed.  To make sure events are logged, the RACF server must  be  con‐
92       figured  with  a  Dynamic CDT Class named @LINUX with correct sizes and
93       attributes. The following TSO commands can be used to add this class:
94
95       TSO Commands: Add @LINUX CDT Class
96              rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
97              setr classact(cdt)
98              setr raclist(cdt)
99              setr raclist(cdt) refresh
100              setr classact(@LINUX)
101              setr raclist(@LINUX)
102              setr generic(@LINUX)
103
104
105   Add profiles to the @LINUX Class
106       Once the CDT Class has been defined, you can add profiles to it, speci‐
107       fying resources (wildcards allowed) to log or ignore. The following are
108       examples:
109
110       TSO Commands: Log only AVC records (One generic and one  discrete  pro‐
111       file):
112              rdefine @LINUX * uacc(none) audit(none(read))
113              rdefine @LINUX AVC uacc(none) audit(all(read))
114              setr raclist(@LINUX) refresh
115
116
117       TSO Commands: Log everything (One generic profile):
118              rdefine @LINUX * uacc(none) audit(all(read))
119              setr raclist(@LINUX) refresh
120
121
122       Resources always match the single profile with the best match.
123
124       There  are  many  other ways to define logging in RACF. Please refer to
125       the server documentation for more details.
126
127

SMF Mapping

129       The ITDS Remote Audit service will cut SMF records of type 83 subtype 4
130       every  time it processes a request. This plugin will issue a remote au‐
131       dit request for every incoming Linux Audit  record  (meaning  that  one
132       Linux  record will map to one SMF record), and fill this type's records
133       with the following:
134
135   Link Value
136       The Linux event serial number, encoded in network-byte order  hexadeci‐
137       mal  representation.  Records within the same Event share the same Link
138       Value.
139
140   Violation
141       Always zero (0) - False
142
143   Event Code
144       Always two (2) - Authorization event
145
146   Event Qualifier
147       Zero (0) - Success, if the event reported success=yes  or  res=success,
148       Three  (3)  -  Fail, if the event reported success=no or res=failed, or
149       One (1) - Info otherwise.
150
151   Class
152       Always @LINUX
153
154   Resource
155       The   Linux   record   type   for   the   processed    record.    e.g.:
156       SYSCALL,AVC,PATH,CWD etc.
157
158   Log String
159       Textual  message bringing the RACF user ID used to perform the request,
160       plus the Linux hostname and the record type for the first record in the
161       processed event. e.g.: Remote audit request from RACFUSER. Linux (host‐
162       name.localdomain):USER_AUTH
163
164   Data Field List
165       Also known as relocates, this list will bring all the field  names  and
166       values in a fieldname=value format, as a type 114 (Application specific
167       Data) relocate. The plug-in will try to interpret those  fields  (i.e.:
168       use  human-readable username root instead of numeric userid 0) whenever
169       possible. Currently, this plugin will also  add  a  relocate  type  113
170       (Date And Time Security Event Occurred) with the Event Timestamp in the
171       format as returned by ctime(3).
172
173

ERRORS

175       Errors and warnings are reported to syslog (under DAEMON facility).  In
176       situations  where  the event was submitted but the z/OS server returned
177       an error condition, the logged message brings a name followed by a  hu‐
178       man-readable description. Below are some common errors conditions:
179
180
181       NOTREQ - No logging required
182              Resource (audit record type) is not set to be logged in the RACF
183              server - The @LINUX Class profile governing  this  audit  record
184              type is set to ignore. See IBM z/OS RACF Server configuration
185
186       UNDETERMINED - Undetermined result
187              No  profile  found  for  specified  resource. There is no @LINUX
188              Class configured or no @LINUX Class profile associated with this
189              audit record type. See IBM z/OS RACF Server configuration
190
191       UNAUTHORIZED - The user does not have authority the R_auditx service
192              The user ID associated with the ITDS doesn't have READ access to
193              the IRR.AUDITX FACILITY Class profile. See IBM z/OS RACF  Server
194              configuration
195
196       UNSUF_AUTH  -  The  user  has  unsufficient authority for the requested
197       function
198              The RACF user ID used to perform Remote Audit requests (as  con‐
199              figured   in   zos-remote.conf(5))  don't  have  access  to  the
200              IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See IBM z/OS  RACF
201              Server configuration
202
203

BUGS

205       The  plugin  currently does remote auditing in a best-effort basis, and
206       will discard events in case the z/OS server cannot be  contacted  (net‐
207       work failures) or in any other case that event submission fails.
208
209

FILES

211       /etc/audit/plugins.d/audispd-zos-remote.conf /etc/audit/zos-remote.conf
212

AUTHOR

217       Klaus Heinrich Kiwi <klausk@br.ibm.com>
218
219
220
221IBM                                Oct 2007              AUDISPD-ZOS-REMOTE(8)