(zos)Configure the SMF audit service providers for security auditing
The audit service provider is used to format the audit data object sent by the audit event factory. For z/OS systems we can choose to use the SMF emitter implementation to output audit records to the Service Management Framework (SMF) as SMF Type 83 Subtype 5 Relocates.
Before configuring the audit service provider, enable global security in the environment. SMF recording must be enabled at the operating system level before configuring the SMF audit service provider to be used. If SMF recording is off and a SMF audit service provider implementation is used, then audit records are not logged to SMF and no warning is presented to alert you that the records are not being recorded.
This task configures the audit service provider used to record generated audit records.
- Click Security > Security Auditing > Audit service provider.
- Click New and then select SMF emitter.
- Enter the unique name that should be associated with this audit service provider in the Name field.
- Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.
- Select the filters that should be audited from the Selectable filter list.
- Click Add >> to add the selected event type filters to the Enabled filter list.
- Click Apply.
Results
After completing these steps, the audit data will be sent to the specified repository in the format required by that repository when an audit event factory is associated with this audit service provider
What to do next
After creating an audit service provider, the audit service provider must be associated with an audit event factory that will provide the audit data objects to the audit service provider. Next you should configure an audit event factory.
Audit records emitted to SMF may be read using the SMF Unload utility. See the z/OS Internet Library for more information about the SMF Unload utility.
We can specify the com.ibm.audit.field.length.limit custom property to set the length at which variable-length audit data is truncated. For more information, see the documentation about the security custom properties.
Subtopics
- Example: Base Generic Emitter Interface
The Base Generic Emitter interface defines how audit events are emitted. Other interfaces can exist to extend this interface and to process specific audit events groupings, such as security events, transactional events, or some other custom grouping. Use this interface to create a custom implementation of the emitter.
Related tasks
Audit the security infrastructure Configure auditable events
AuditEmitterCommands (AdminTask) Audit service provider collection Audit service provider settings Auditable security events Security custom properties