Functions that accept a system caller process the request as if the caller is a superuser. If an audit record is written, the user z/OS UNIX user identifier (UID) and z/OS UNIX group identifier (GID) values in the record are set to -1.

• Audit function code: a code that identifies the system call being processed. The audit function codes are described in z/OS Security Server RACF Data Areas.
• Name flag: a flag used on path resolution calls to ck_access to indicate whether the first or second file name is being checked.
• Requested path name: the path name the user passed on the system call. For link, vlink, rename, and vrename, this is the old path name. When the caller of lookup is getcwd, ioctl, or ttyname, this field is not completed.
• File name: the part of the requested path name currently being checked. This may be part of the path name or may be part of a symbolic link encountered when resolving the path name. The first directory checked in a path name resolution is either the root directory (/ROOT) or the current working directory (/CWD). The names /ROOT and /CWD-the only file names that contain a slash (/)-are provided to indicate these directories in the audit record. This field is included only in audit records produced by ck_access.
  This field contains the file name of:

  • The directory being checked on calls from lookup.

    When the caller of lookup is getcwd, ioctl, or ttyname, this field is not completed.

  • The parent directory of the object identified by the path name for calls for mkdir, mknod, vcreate, open(new file), rename, vrename, rmdir, symlink, vsymlink, unlink, and vremove.
  • The object identified by the path name for calls for open(old file), opendir, link, vlink, and utime.
  • Second path name: for rename, vrename, link, and vlink, this is the new path name passed on the system call. For symlink and vsymlink, this is the content of the symlink. For mount and unmount, this is the data set name of the shared file system data set being mounted or dismounted.
  • Second file name: this is the same as the file name above, except that it is for the second part of the path name being checked. This field contains the file name of:
    • The directory being checked on calls from lookup
    • The parent directory of the object identified by the new path name for calls for link, vlink, rename, and vrename.
• Access Control List information: pointers to ACL buffers are used for the ck_access, makeFSP, and R_Setfacl callable services.
• Security Label:
  • used to pass the security label to be set for the file or directory to R_setfsecl
  • used in a system CRED to pass the security label to set when the directory's security label is SYSMULTI for makeFSP
  • used in a system CRED to indicate that a directory requires a SYSMULTI security label to pass an access request for ck_access.
  • an ACEE pointer, used to pass the ACEE address of a user performing a socket call in SRB mode from UNIX System Services to the IP stack, a read-only security label, used to pass the resource security label for read-only file systems to ck_access.
• File System Name: the name of the file system containing the specified file name(s). If supplied by LFS and the FSACCESS class is RACLISTed, RACF verifies the user has access to a matching profile defined in that class.