+

Search Tips   |   Advanced Search

(ZOS) Configure the SMF audit service providers for security auditing

The audit service provider is used to format the audit data object that was sent by the audit event factory. For z/OS systems we can choose to use the SMF emitter implementation to output audit records to the Service Management Framework (SMF) as SMF Type 83 Subtype 5 Relocates.

Before configuring the audit service provider, enable global security in the environment. SMF recording must be enabled at the operating system level before configuring the SMF audit service provider to be used. If SMF recording is off and a SMF audit service provider implementation is used, then audit records are not logged to SMF and no warning is presented to alert you that the records are not being recorded.

This task configures the audit service provider used to record generated audit records.


Tasks

  1. Click Security > Security Auditing > Audit service provider.

  2. Click New and then select SMF emitter.

  3. Enter the unique name that should be associated with this audit service provider in the Name field.

  4. Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.

    1. Select the filters that should be audited from the Selectable filter list.

    2. Click Add >> to add the selected event type filters to the Enabled filter list.

  5. Click Apply.

After completing these steps, our audit data will be sent to the specified repository in the format required by that repository when an audit event factory is associated with this audit service provider


What to do next

After creating an audit service provider, the audit service provider must be associated with an audit event factory that will provide the audit data objects to the audit service provider. Next we should configure an audit event factory.

Audit records emitted to SMF may be read using the SMF Unload utility. See the z/OS Internet Library for more information about the SMF Unload utility.

We can specify the com.ibm.audit.field.length.limit custom property to set the length at which variable-length audit data is truncated. See documentation about the security custom properties.


Subtopics

  • Auditing the security infrastructure
  • Configure auditable events using scripting
  • AuditEmitterCommands for the AdminTask object
  • Audit service provider collection
  • Audit service provider settings
  • Auditable security events
  • Security custom properties