Auditing access to files and directories

The security auditor uses reports formatted from RACF® system management facilities (SMF) records to check successful and failing accesses to kernel resources. An SMF record can be written at each point where the system makes security decisions.

Six classes are used to control auditing of security events. These classes do not have any profiles. They do not have to be active to control auditing. Use the SETROPTS command to specify the auditing options for the classes. For a list of the classes used for auditing and an explanation of how to specify the audit options, see z/OS Security Server RACF Auditor's Guide.

Audit records are always written for the following events:

When a user not defined as a z/OS UNIX user tries to dub a process
When a user who is not a superuser or not permitted to the SUPERUSER.FILESYS.USERMOUNT RACF profile tries to mount or unmount a file system.

You cannot turn off these audit records.

You can also specify auditing at the file level in the file system. Activate this option by:

Specifying DEFAULT in the class LOGOPTIONS on the SETROPTS command
Using the chaudit command to specify audit options for individual files and directories

If you activate auditing for additional levels of file system access, you might generate excessive amounts of SMF Type 80 records.

You can also specify, in a RACF user profile, that all actions taken by the user be audited. Actions taken by superusers can be audited or not, determined by RACF commands. If you are using RACF profiles in the UNIXPRIV class to control certain superuser functions, you can use those same profiles to audit those superuser functions.