ACFRPTOM - UNIX System Services (USS) Report

1
acf2src
 
 
1
 
 
To monitor user activity in a UNIX System Services (USS) environment, CA ACF2 logs security events under USS to SMF using the standard CA ACF2 SMF record. Log records are written for any security event that denies the user access to a USS facility or for MLS Seclabel Audit. When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited. These records can assist you in determining the UID and GID of the user involved in the attempted access.
Setting Attributes
Turning on the user or auditor logging or audit options in an HFS file can also cause logging. The owner of the file can set the user audit attribute of the file. The auditor option can also set an audit attribute, but requires the CA ACF2 SECURITY privilege. Each of these attributes is set based on the access being attempted to the file. If AUDIT attributes or flags are turned on in a file for the type of file access, it logs that access by writing an SMF record. These SMF records can be viewed on the ACFRPTOM report.
Running the Report Using the ISPF Panel
You can use the ACFRPTOM ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTOM ISPF panel.
 
Userid Mask
 
Specifies the userids for which you want USS security information collected.
 
Group Mask
Specifies the groups for which you want USS security information collected.
 
UID Number
Specifies the USS UID for which you intend to collect security information. Acceptable values range from zero to 2,147,483,647.
 
GID Number
Specifies the USS GID for which you intend to collect security information. Acceptable values range from zero to 2,147,483,647.
Service
Specifies the name of the SAF callable service for which you want security information collected. See the IBM
 z/OS Security Server (RACF) Callable Services 
guide for detailed information on these services.
Note: The SERVICE parameter is mutually exclusive with the INCLUDE and the EXCLUDE parameter.
Include
Specifies multiple SAF callable services for which security information is to be collected. Services specified in INCLUDE can be masked with a '-' or an '*'. See the 
IBM z/OS Security Server (RACF) Callable Services Guide 
for detailed information on these services.
Note: This parameter is mutually exclusive with the SERVICE parameter.
Exclude
Specifies multiple SAF callable services that are to be omitted from the report. Services specified in EXCLUDE can be masked with a '-' or an '*'. See the 
IBM z/OS Security Server (RACF) Callable Service Guide 
for detailed information on these services.
Note
: This parameter is mutually exclusive with the SERVICE parameter.
The INCLUDE and EXCLUDE statements support masking. Accordingly, the dash (-) is not used as a continuation character if an INCLUDE or EXCLUDE statement spans multiple lines. Instead the dash acts as an “all” indicator. Thus, INCLUDE(-) would be coded to include all OM resource types in the report. In addition INCLUDE and EXCLUDE statements now support masking with an asterisk as well. Masking with an asterisk follows normal masking conventions. The SERVICE parameter is case sensitive if the service specified is not valid or the case is incorrect. The CAS2522E INVALID OPERAND VALUE FOR KEYWORD kkkkkkkk message will be issued.
If you enter 'Y' in the Specify Service field the following screen displays. Specify an individual service or all services.
---------------------ACFRPTOM - Open Edition MVS Event Log --------------------- COMMAND ===> Optional Parameters for ACFRPTOM: Service ===> (ALL)
If you enter 'Y' in the Specify Include field the following screen displays. Enter the specific services to be included in the report.
---------------------ACFRPTOM - Open Edition MVS Event Log---------------------- COMMAND ===> Additional parameters for ACFRPTOM: INCLUDE => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => =>
If you enter 'Y' in the Specify Exclude field the following screen displays. Enter the specific services to be omitted in the report.
---------------------ACFRPTOM - Open Edition MVS Event Log---------------------- COMMAND ===> Additional parameters for ACFRPTOM: EXCLUDE => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => => =>
 
ERROR
Specifying ERROR restricts the output of the report to include only entries for services that ended with a SAF RC greater than zero. This helps produce a report that is easier to read when attempting to resolve an OMVS setup problem. The default is to report on all SMF records that have been written.
 
LOGSTREAM
Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
You can use JCL to run the ACFRPTOM report. To run the ACFRPTOM report, see Using Sample JCL to Execute Reports. The following are the parameters for this report.
 
UID(value)
Specifies the USS UID for which you intend to collect security information. Acceptable numeric values range from zero to 2,147,483,647. This field is not maskable.
 
GID(value)
Specifies the USS GID for which you intend to collect security information. Acceptable numeric values range from zero to 2,147,483,647. This field is not maskable.
 
USER(logonid)
Specifies the logonid for which you want USS security information collected. This field is maskable.
 
GROUP(groupname)
Specifies the group for which you want USS security information collected. This field is maskable.
 
SERVICE(service)
Specifies the name of the SAF callable service for which you want security information collected. See the IBM
 z/OS Security Server (RACF) Callable 
Services guide for detailed information on these services. Possible values for this field are shown in Service Field Values.
Note:
 The SERVICE parameter is mutually exclusive with the INCLUDE and the EXCLUDE parameter.
 
 
Summary
|Detail
Specifying the default value SUMMARY produces a three-line entry for each event logged. Specifying DETAIL produces report entries that include all the information available for each logging event.
 
ERROR
Specifying ERROR restricts the output of the report to include only entries for services that ended with a SAF RC greater than zero. This helps produce a report that is easier to read when attempting to resolve an OMVS setup problem. The default is to report on all SMF records that have been written.
 
INCLUDE(service1, service2)
Specifies multiple SAF callable services for which you want security information collected. Services specified in INCLUDE can be masked with a '-' or an '*'. See the IBM z/OS Security Server (RACF) Callable Services guide for detailed information on these services. Possible values for this field are shown in Service Field Values.
Note:
 This parameter is mutually exclusive with the SERVICE parameter.
 
EXCLUDE(service1,service2,…)
Specifies multiple SAF callable services that are to be omitted from the report. Services specified in EXCLUDE can be masked with a '-' or an '*'. See the IBM z/OS Security Server (RACF) Callable Services guide for detailed information on these services. Possible values for this field are shown in Service Field Values.
Note:
 This parameter is mutually exclusive with the SERVICE parameter.
The INCLUDE and EXCLUDE statements support masking. Accordingly, the dash (-) is not used as a continuation character if an INCLUDE or EXCLUDE statement spans multiple lines. Instead the dash acts as an “all” indicator. Thus, INCLUDE(-) would be coded to include all OM resource types in the report. In addition INCLUDE and EXCLUDE statements now support masking with an asterisk as well. Masking with an asterisk follows normal masking conventions. The SERVICE parameter is case sensitive if the service specified is not valid or the case is incorrect. The CAS2522E INVALID OPERAND VALUE FOR KEYWORD kkkkkkkk message will be issued.
Common Parameters
The ACFRPTOM panel accepts the following parameters.
  • LINECNT
  • TITLE
  • FORMAT
  • JOBMASK
  • SDATE
  • STIME
  • EDATE
  • ETIME
  • SYSID
  • SELECT
Sample Output
To monitor user activity in a UNIX System Services (USS) environment, CA ACF2 logs security events under USS to SMF using the standard CA ACF2 SMF record. Log records are written for any security event that denies the user access to a USS facility or for MLS Seclabel Audit. When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited. These records can assist you in determining the UID and GID of the user involved in the attempted access.
The following ACFRPTOM report shows the logging of security events in a USS environment:
110/28/99 99.301 15.15 - OMVS LOGGINGS - PAGE 1 SERVICE USERID GROUP UID GID SAF RC RSN DATE TIME JOBNAME SOURCE SYSID CPU INIT_USP USER01 OMVGROUP 0 0 8 8 20 10/13/99 99.286 21.27.15 USER01 XE41 XE41 Failed - User not defined as OpenMVS user INIT_USP USER01 OMVGROUP 0 0 8 8 20 10/13/99 99.286 21.27.16 USER01 XE41 XE41 Failed - User not defined as OpenMVS user INIT_USP USER01 OMVGROUP 1025 10 0 0 0 10/13/99 99.286 21.30.10 USER01 XE41 XE41 Successful - Logging active by Trace/Audit options Home : /u/user01 Program : /bin/sh DELETE_USP USER01 OMVGROUP 0 0 0 0 0 10/13/99 99.286 21.34.07 USER01 XE41 XE Successful - Logging active by Trace/Audit options CHECK_ACCESS USER01 OMVGROUP 1025 10 0 0 0 10/13/99 99.286 22.03.11 USER01 XE41 XE41 Successful - Logging active by Trace/Audit options Function: opendir User Type: Local Requested Access: Search Pathname: /u/user02/ Filename: /ROOT File Permissions: Owner: rwx Group: r-- Other: --- Owning UID: 0 Owning GID: 0 Volume : SMS001 File Identifier: 000104000000000003 File Audit Options: User : Read Failure Write Failure Exec/Search Failure Auditor : Read Failure Write Failure Exec/Search Failure
This sample output was run with the DETAIL option and shows three log entries for INIT_USP requests, one entry for a DELETE_USP request, and one entry for a CHECK_ACCESS request.
Sample MLS Output
ck_access USERA01 ACFGROUP 0 10 0 0 0 01/20/04 04.020 12.56.44 USERA01 XE75 XE75 ABC Successful - Logging active by Trace/Audit options Function: open User Type: Local Requested Access: Read Name flag: Use CRED_name_flag to determine pathname Pathname: /etc/zfs/zfile2 Filename: zfile2 File Permissions: Owner: rw- Group: r-- Other: r-- Owning UID: 0 Owning GID: 0 SECLABEL: BCD Volume : TSO75S File Identifier: 00010E000000230000 File Audit Options: User : Read Failure Write Failure Exec/Search Failure Auditor : Read None Write None Exec/Search None
Field Descriptions
Different information is logged for different types of requests.
  • INIT_USP and DELETE_USP requests result in three-line log entries: the first two lines consist of field information; the third line is a text explanation.
  • The CHECK_ACCESS request results in a log entry that consists of three lines plus additional lines of information about the request.
Descriptions of these entries follow. Included are descriptions of the security services and fields that might show up on the ACFRPTOM when DETAIL is specified.
 
SERVICE
The type of service requested. See the list of possible service requests you might see in this field and a brief description of each in the Service Field Values section.
Note: 
When using SERVICE, only 1 value can be specified at any given time.
 
INCLUDE
The type of service or services requested. See the list of possible service requests you might see in this field and a brief description of each in the Service Field Values section.
Note: 
INCLUDE accepts multiple values as well as masked values.
 
EXCLUDE
The type of service or services to be omitted from the report. See the list of possible service requests you might see in this field and a brief description of each in the Service Field Values section.
Note: 
EXCLUDE accepts multiple values as well as masked values.
The INCLUDE and EXCLUDE statements support masking. Accordingly, the dash (-) is not used as a continuation character if an INCLUDE or EXCLUDE statement spans multiple lines. Instead the dash acts as an “all” indicator. Thus, INCLUDE(-) would be coded to include all OM resource types in the report. In addition INCLUDE and EXCLUDE statements now support masking with an asterisk as well. Masking with an asterisk follows normal masking conventions. The SERVICE parameter is case sensitive if the service specified is not valid or the case is incorrect. The CAS2522E INVALID OPERAND VALUE FOR KEYWORD kkkkkkkk message will be issued.
 
CPU
The SMF name of the CPU that validated the request.
 
DATE
The Julian or Gregorian date when the access was attempted. The format of the Gregorian date is mm/dd or dd/mm, depending on the DATE option in the GSO OPTS infostorage record.
 
EXPLANATION LINE
A text explanation of the return and reason codes for this call. It tells whether the request failed or succeeded and provides a brief explanation of the disposition. Failed request messages are customized to reflect the reason for the failure. Successful requests resembles the following:
Successful - Logging active by Trace/Audit options
 
 
GID
The OMVS GID number of the user.
 
GROUP
The GROUP with which the user is associated.
 
IDID Registry Name
The distributed identity registry name that is associated with the z/OS userid. This field is shown when z/OS Identity Propagation is being used.
 
IDID User DN
The distinguished name that is associated with the z/OS userid. This field is shown when z/OS Identity Propagation is being used.
 
JOBNAME
The name of the job under which the access was issued.
 
SAF
The SAF return code. For all services:
  • 0-Successful completion
4-CA ACF2 not active
8-Request denied. See explanation line.
RC
The CA ACF2 return code. For all services:
  • 0-Successful completion
  • 8-Request denied. See explanation line.
 
RSN
The SAF reason code. See explanation line.
 
TIME
The time of day when the access attempt occurred.
 
SAF
The SAF return code. For all services:
  • 0-Successful completion
4-CA ACF2 not active
8-Request denied. See explanation line.
RC
The CA ACF2 return code. For all services:
  • 0-Successful completion
  • 8-Request denied. See explanation line.
 
SOURCE
The logical input source from which the request was issued.
 
SYSID
The CA ACF2 system ID associated with the logging records.
 
UID
The OMVS UID number of the user.
 
USERID
The logonid of the user for which the request was made.
Service Field Values
Possible values for the SERVICE, INCLUDE, and EXCLUDE fields of the ACFRPTOM report follow. These values are case-sensitive.
Additional information that might appear on the report for each request when the DETAIL option is specified is a function of the particular call being made. See Security Credentials and File Security Packets for more information.
ck_access
Determines if a user has the requested access (READ, WRITE, EXECUTE, or SEARCH) to the specified file or directory.
ck_file_owner
Checks if a current process is a superuser or the owner of the specified file. A process could be the owner of a file if the effective UID is equal to the file owner's UID.
ck_IPC_access
Determines whether the current process has the requested access to the interprocess communication (IPC) key or identifier whose IPC security packet (IISP) is passed.
ck_owner_2_files
Checks whether the calling process is a superuser or is the owner of the file/directory, or directory/directory entry pair represented by input FSP1 and FSP2. A process is the owner of the file if the processes effective UID is equal to the file's owner UID.
ck_priv
Determines if the calling process is a superuser.
ck_process_owner
Checks to see if the calling process is the owner of a process being called.
clear_setid
Clears temporary access that has been given to a file or directory (that is, resets the S_ISUID, S_ISGID and S_ISVTX bits in the file's or directory's access permissions back to zero. For more information about these bits, see the IBM 
z/OS UNIX System Services User's Guide.
 
deleteUSP
Indicates that the user's access to USS terminated.
getGMAP
Indicates that a call was made to determine the GID for a groupname or the groupname for a GID.
get_uid_gid_supg
Gets the real, effective, and saved UIDs and GIDs, and the supplemental groups from the USP.
getUMAP
Indicates that a call was made to determine the UID for a username or the username for a UID.
initACEE
Provides an interface for creating and managing security contexts created through the pthread_security_np service.
initUSP
Indicates initial user access to USS.
  • Home-the home directory of the user at initial access to USS
  • Program-the name of the program for the indicated user at initial access to USS
  • Cputime-maximum CPU time for a dubbed process
  • Assize-maximum address space size
  • Fileproc-maximum files per process
  • Procuser-maximum number of processes
  • Threads-maximum number of pthread created threads
  • Mmaparea-maximum data space pages for HFS mappings
  • Memlimit-maximum non-shared memory size
  • Shmemmax-maximum shared memory size
makeFSP
Seen when a file or directory is created.
  • File Type-the file type of the file for which the FSP is being created. It tells whether a file is a directory, a regular file or one of several special types of files.
  • File Permissions-the file access permissions to be assigned to the indicated file. These are displayed in the fields named Owner, Group, and Other. Values for the fields are r for READ, w for WRITE, x for EXECUTE, and s for SEARCH.
makeISP
Builds an IISP in the area provided by the caller.
make_root_fsp
Indicates that a new file system is being initialized in a new PDSE/x data set.
 
query_file_opts
Indicates that file security options were queried to determine the settings.
query_sys_opts
Indicates that system security options were queried to determine the settings.
R_admin
Allows applications to pass an CA ACF2 command buffer that is used to update the CA ACF2 database.
R_audit
A record cut in addition to a security service record; it supplies additional information about the file being audited.
R_auditx
Logs security events to SMF.
R_cacheserv
Indicates a call was made for cache services. A cache is stored in a data space and contains security relevant information. The cache functions are:
  • START-Start a new cache.
  • ADD-Add a record to the new cache.
  • END-End cache creation.
  • FETCH-Fetch a record from the cache.
  • DELETE-Delete the cache.
R_chaudit
Indicates that a file's Audit Options have been changed. See FILE AUDIT OPTIONS in the Security Credentials and File Security Packets section next for more information.
  • User Audit Options-indicates what type of user access to this file should be audited.
  • Auditor Audit Options-indicates what type of auditor access to this file should be audited.
R_chmod
Indicates a file's permissions (mode) have been changed.
  • File Type-the file type of the file whose permissions are being changed. It indicates if a file is a directory, a regular file or one of several special types of files.
  • File Permissions-the file access permissions assigned to the indicated file. These are displayed in the fields named Owner, Group, and Other. Values for the fields are r for READ, w for WRITE, x for EXECUTE, and s for SEARCH.
R_chown
Changes a file's owning UID and GID to a new value.
  • UID To Be Set:-the UID number to which the file's owning UID is being set.
  • GID To Be Set:-the GID number to which the file's owning GID is being set.
R_datalib
Implements OCSF data library support, which provides access to digital certificates connected to a keyring.
  • Function-The specific R_datalib function being invoked, such as DataGetFirst or DataGetNext.
  • Userid-The userid to whom the KEYRING profile record belongs or blanks if the KEYRING profile record is owned by the issuer of the request.
  • Ring Name-The ring name of the KEYRING profile record.
R_dceauth
Enables an application server to check a user's authority to access a CA ACF2 defined resource. It is intended to be used only for the USS kernel on behalf of an application server.
R_dceinfo
Retrieves or sets fields in the DCE USER profile record.
R_dcekey
Enables OpenEdition DCE to retrieve or set a DCE password (key) or retrieve an LDAP bind password.
R_dceruid
Enables OpenEdition DCE to determine the user ID of the client from the string forms of the client's DCE UUID pair.
  • Function-The specific function being processed (“Return RACF userid” or “Return DCE UUID”).
  • Userid-The CA ACF2 userid.
  • Principal-The string form of the principal DCE UUID.
R_exec
Changes the effective and saved UID or GID or both.
  • Set UID-change made to UID.
  • Set GID-change made to GID.
R_factor
Indicates a call was made to authenticate the factor service.
R_fork
Indicates that a call was made to get the security information for a forked process.
R_GenSec
Evaluates a PassTicket.
R_getgroups
Indicates that a call was made to determine what groups the current process or user belongs to.
R_getgroupsbynam
Indicates that a call was made to determine the groups to which a specific userid belongs.
R_Getinfo
Retrieves a subset of security server information.
R_IPC_ctl
Performs functions based on a function code.
R_kerbinfo
Retrieves or sets SecureWay Security Server Network Authentication Service fields. The service returns principal or realm information and updates the count of invalid attempts at accessing the SecureWay Security Server Network Authentication Service. The invalid key count is also cleared upon successful access to the service.
R_Password
Indicates a call was made for elevating or encrypting a clear text password or passphrase.
R_PKIServ
Allows applications to request the generation retrieval and administration of V3 X.509 digital certificates.
R_PrgmSignVer
Indicates a call was made for a program sign and verify.
R_proxyserv
Allows applications to invoke the LDAP component of the Security Server for z/OS to obtain data which resides in an LDAP directory.
R_ptrace
Indicates that a check was made to see if a calling process can ptrace a target process it is calling.
R_setegid
Changes the effective GID to a different GID.
  • GID To Be Set-the GID that is to be set as the effective GID.
  • Real GID-the actual GID of this user.
  • Effective GID-the GID under which this user's accesses are being validated.
  • Saved GID-internally used GID
R_seteuid
Changes the effective UID to a different UID.
  • UID To Be Set-the UID that is to be set as the effective UID.
  • Real UID-the actual UID of this user.
  • Effective UID-the UID under which this user's accesses are being validated.
  • Saved UID-internally used UID.
R_setfacl
Indicates a call was made to create or modify an Access Control List.
  • Operation-the type of operation performed: Add, Modify, or Delete.
  • ACL Type-the type of ACL affected: Access, Directory Model, or File Model.
  • UID/GID-the UID or GID for this ACL entry.
  • Permissions-The octal value of the file permissions specified for this user or group. If PERM-DEL the ACL entry for the specified UID/GID is deleted.
R_setfsecl
Changes the security label in the FSP
R_setgid
Changes the real, effective and saved GIDs to a different GID.
  • GID To Be Set-the GID that is to be set as the current GID.
  • Real GID-the actual GID of this user.
  • Effective GID-the GID under which this user's accesses are being validated.
  • Saved GID-internally used GID.
R_setuid
Changes the real, effective and saved UID to a different UID.
  • UID To Be Set-the UID that is to be set as the current UID.
  • Real UID-the actual UID of this user or process.
  • Effective UID-the UID under which this user's accesses are being validated.
  • Saved UID-internally used UID.
R_ticketserv
This service enables application servers to parse or extract principal names from a GSS-API context token. This enables an application server to determine the client principal who originated an application-specific request when the request includes a GSS-API context token.
R_umask
Change of permissions that a program sets in a new file or directory when it creates a new file or directory.
R_usermap
Enables z/OS application servers to determine the application user identity associated with an CA ACF2 logonid, or to determine the CA ACF2 logonid associated with an application user identity or digital certificate. Currently, the only supported applications are Lotus Notes for z/OS and Novell Directory Services and SecureWay Server Network Authentication Server. This service also allows a distributed idenity consisting of a user Distributed Name and Registry/Realm Name to be mapped to the corresponding CA ACF2 logonid via IDMAP profile records. The R_usermap will return the email address of a user and return the userid of the email address.
R_writepriv
Sets, resets, or queries the setting of the write-down privilege in the ACEE.
When MLS is active, the following fields are captured on the ACFRPTOM report:
USER-SECLABEL
The 8-byte session seclabel or, *NONE*, if no seclabel exists.
FSP-SECLABEL 
The 8-byte file or directory seclabel or, *NONE*, if no seclabel exists.
When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited. For complete information on how to implement MLS on a system using CA ACF2, see Implement Multilevel Security Planning.
Security Credentials and File Security Packets
Many log entries show additional information about the request. The information is contained internally as Security Credentials (CRED) and File Security Packets (FSP). This information is common to many calls and can appear in the following fields on the ACFRPTOM report if it is available:
FUNCTION
Specifies the function attempted for a file or directory, such as OPEN, SEARCH, and so forth.
PATHNAME
Specifies the full pathname of a file or directory, including the file or directory name itself. There could be two pathnames specified if the call involved more than one file or directory.
FILENAME
Specifies the name of a file or directory. In the case of a ck_access, this field names the part of the path currently being validated for access (that is, if the path is 
aa/bb/cc
 then three separate ck_access calls would be seen: the first with a filename of 
aa,
 the second with a filename of 
bb,
 and the third with the filename of 
cc
 ). There can also be two filenames specified if the call involved more than one file or directory.
FILE PERMISSIONS
Specifies the access permissions for the file's owning UID (owner), the file's owning GID (group), and all others attempting access (other).
OWNING UID
Specifies the UID of the owner of the file or directory. If the real UID of a user or process attempting access to this file matches the owning UID, then access is granted according to the owner file permissions.
OWNING GID
Specifies the GID of the owner of the file or directory. If the real GID of a user or process attempting access to this file matches the owning GID, then access is granted according to the group file permissions. If the process or user does not have the owning GID as its primary GID, but has a supplemental group that matches the owning GID, then access is also determined by the group file permissions.
Note: If the GID or UID do not match the owner's GID or UID, then the “other” file permissions are used to determine access.
VOLUME
Specifies the volume on which the file system that contains the file resides.
FILE IDENTIFIER
In some cases there might be no pathname or filename indicated in a call. In this occurs, access is validated using the file identifier. To determine what the path and filename are for this call, find the last previous call with the same file identifier. The pathname and filename for that call are the same as for the call in question.
FILE AUDIT OPTIONS
There are two types of file audit options:
  • User-indicates the type of file access that should be logged for a user. For example, if the report shows “Read Failure, Write All, Exec/Search None,” it means that all failed READ attempts, all WRITEs, but no EXECs or SEARCHes are to be logged to SMF for the user.
  • Auditor-indicates the type of file access that should be logged for an auditor. For example, if the report shows “Read Failure, Write All, Exec/Search None,” it means that all failed READ attempts, all WRITEs, but no EXECs or SEARCHes are to be logged to SMF for the auditor.
Selective SMF Logging Options for USS
Normally CA ACF2 logs certain callable services or USS events to the SMF log. However, with the UNIXOPTS GSO record, you can selectively control which USS events are logged. There are seven parameters or options in the UNIXOPTS record that determine whether USS events within certain categories are logged to create an audit trail or whether these events are ignored. These parameters and the events that they cover are detailed in the following.
DIRACC|NODIRACC
Specifies if SMF records are to be cut for UNIX system services that control access checks for read/write access to directories. Some of the functions that access directories with read or write access are open, opendir, rename, rmdir, mount, mkdir, link, mknod, getcwd, and vlink. The Security Server callable services that control cutting this SMF record are ck_access and ck_owner_2_files.
DIRSRCH|NODIRSRCH
Specifies if SMF records are to be cut for UNIX system services that control directory searches. Some of the functions that search directories are chmod, chown, chaudit, getcwd, link, mkdir, open, opendir, stat, ttyname and vlink. The Security Server callable service that controls cutting this SMF record is ck_access. Be aware that auditing directory searches will generate an extremely large amount of SMF records in a short period of time.
FSOBJ|NOFSOBJ
Specifies if SMF records are to be cut for UNIX system services that control the auditing of the creation and deletion of system objects. It also cuts SMF records for all access checks except directory searches. Some of the functions that will do this are chdir, link, mkdir, open, mount, rename, rmdir, symlink, vmakedir, and vcreate. The Security Server callable services that control cutting of this SMF record are ck_access, ck_owner_2_files, ckpriv, makeFSP, make_root_FSP, makeISP, and R_audit.
FSSEC|NOFSSEC
Specifies if SMF records are to be cut for UNIX system services that control the auditing of changes to the security data (FSP) for file system objects. Some of the functions that modify the FSP are chaudit, chmod, chown, chattr, write, fchaudit, fchmod, and setfacl. The Security Server callable services that control cutting of this SMF record are R_chaudit, R_chown, R_chmod, clear_setid, and R_setfacl.
IPCOBJ|NOIPCOBJ
Specifies if SMF records are to be cut for UNIX system services that control the auditing of the access control, IPC object changes and the creation and deletion of IPC objects. Some of the functions that will do this are msgctl, msgget, msgsnd, semctl, semget, semop, shmat, shmget and shmctl. The Security Server callable services that control cutting of this SMF record are ck_IPC_access, R_IPC_ctl, and makeISP.
PROCACT|NOPROCACT
Specifies if SMF records are to be cut for UNIX system services that control the auditing of services that look at data from or effect other processes. Some of the functions that effect other processes are getpsent, kill, ptrace, recv, recvmsg and sendmsg. The Security Server callable services that control cutting of this SMF record are ck_process_owner and R_ptrace.
PROCESS|NOPROCESS
Specifies if SMF records are to be cut for UNIX system services that control the dubbing and undubbing of processes, changes to the UIDs and GIDs of processes, and changes to the thread limits and other privileged options. Some of the functions that dub processes or change process values are exec, setuid, setgid, seteuid, setegid, dub, undub, and vregister. The Security Server callable services that control cutting of this SMF record are R_exec, R_setuid, R_setgid, R_seteuid, R_setegid, ck_priv, initACEE, initUSP, and deleteUSP.