logo
Free, unlimited AI code reviews that run on commit
git-lrc git-lrc GitHub Install Now We'd appreciate a star git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt git-lrc - Free, unlimited AI code reviews that run on commit | Product Hunt

audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin

Author

       Klaus Heinrich Kiwi <klausk@br.ibm.com>

IBM                                                 Oct 2007                               AUDISPD-ZOS-REMOTE(8)

Bugs

       The plugin currently does remote auditing in a best-effort basis, and will discard  events  in  case  the
       z/OS server cannot be contacted (network failures) or in any other case that event submission fails.

Description

audispd-zos-remote  is  a  remote-auditing  plugin  for  the Audit subsystem. It should be started by the
       auditd(8) daemon and will forward all incoming audit events, as they happen, to  a  configured  z/OS  SMF
       (Service  Management  Facility)  database,  through  an IBM Tivoli Directory Server (ITDS) set for Remote
       Audit service.  See SMFMAPPING section below for more information about the resulting SMF record format.

       auditd(8) must be configured to start the plugin. This is done by a configuration file usually located at
       /etc/audit/plugins.d/audispd-zos-remote.conf, but multiple instances can be spawned  by  having  multiple
       configuration files in /etc/audit/plugins.d for the same plugin executable (see auditd(8)).

       Each  instance  needs  a  configuration  file,  located  by default at /etc/audit/zos-remote.conf.  Check
       zos-remote.conf(5) for details about the plugin configuration.

Errors

       Errors and warnings are reported to syslog (under DAEMON facility). In situations  where  the  event  was
       submitted but the z/OS server returned an error condition, the logged message brings a name followed by a
       human-readable description. Below are some common errors conditions:

       NOTREQ-Nologgingrequired
              Resource (audit record type) is not set to be logged in the RACF server - The @LINUX Class profile
              governing this audit record type is set to ignore. See IBMz/OSRACFServerconfigurationUNDETERMINED-Undeterminedresult
              No  profile  found  for specified resource. There is no @LINUX Class configured or no @LINUX Class
              profile associated with this audit record type. See IBMz/OSRACFServerconfigurationUNAUTHORIZED-TheuserdoesnothaveauthoritytheR_auditxservice
              The user ID associated with the ITDS doesn't have READ access to  the  IRR.AUDITX  FACILITY  Class
              profile. See IBMz/OSRACFServerconfigurationUNSUF_AUTH-Theuserhasinsufficientauthorityfortherequestedfunction
              The RACF user ID used to perform Remote Audit requests (as configured in zos-remote.conf(5)) don't
              have  access  to  the  IRR.LDAP.REMOTE.AUDIT  FACILITY  Class  profile.  See  IBMz/OSRACFServerconfiguration

Files

       /etc/audit/plugins.d/audispd-zos-remote.conf /etc/audit/zos-remote.conf

Ibm Z/Os Itds Server And Racf Configuration

       In order to use this plugin, you must have an IBM z/OS v1R8 (or higher) server with IBM Tivoli  Directory
       Server  (ITDS)  configured for Remote Audit service. For more detailed information about how to configure
       the z/OS server for Remote Auditing, refer to z/OSV1R8.0-9.0IntegratedSecurityServicesEnterpriseIdentityMapping(EIM)GuideandReference
       (http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119),
       chapter "2.0 - Working with remote services".

   EnableITDStoprocessRemoteAuditrequests
       To  enable  ITSD  to process Remote Audit requests, the user ID associated with ITDS must be granted READ
       access to the IRR.AUDITX FACILITY Class profile (the profile used to protect the R_Auditx service).  This
       user ID can usually be found in the STARTED Class profile for the ITDS started procedure. If the identity
       associated  with  ITDS  is  ITDSUSER,  the  administrator  can  configure  RACF  to grant Remote Auditing
       processing to ITDS with the following TSO commands:

       TSOCommands:GrantITDSUSERREADaccesstoIRR.AUDITXFACILITYClassprofile
              rdefine FACILITY IRR.RAUDITX uacc(none)
              permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)

   Create/enableRACFuserIDtoperformRemoteAuditrequests
       A z/OS RACF user ID is needed by the plugin - Every Audit request performed by the plugin will use a RACF
       user ID, as configured in the plugin configuration zos-remote.conf(5).  This user ID needs READ access to
       FACILITY Class resource IRR.LDAP.REMOTE.AUDIT.  If  the  user  ID  is  BINDUSER,  the  administrator  can
       configure RACF to enable this user to perform Remote Auditing requests with the following TSO commands:

       TSOCommands:EnableBINDUSERtoperformRemoteAuditrequests
              rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
              permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)

   Add@LINUXClasstoRACF
       When  performing  remote auditing requests, the audispd-zos-remote plugin will use the special @LINUXCDTClass and the audit record type (eg.: SYSCALL, AVC, PATH...)  as the CDTResourceClass  for  all  events
       processed.   To  make sure events are logged, the RACF server must be configured with a Dynamic CDT Class
       named @LINUX with correct sizes and attributes. The following TSO commands can be used to add this class:

       TSOCommands:Add@LINUXCDTClass
              rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
              setr classact(cdt)
              setr raclist(cdt)
              setr raclist(cdt) refresh
              setr classact(@LINUX)
              setr raclist(@LINUX)
              setr generic(@LINUX)

   Addprofilestothe@LINUXClass
       Once the CDT Class has been defined, you can add profiles to it, specifying resources (wildcards allowed)
       to log or ignore. The following are examples:

       TSOCommands:LogonlyAVCrecords(Onegenericandonediscreteprofile):
              rdefine @LINUX * uacc(none) audit(none(read))
              rdefine @LINUX AVC uacc(none) audit(all(read))
              setr raclist(@LINUX) refresh

       TSOCommands:Logeverything(Onegenericprofile):
              rdefine @LINUX * uacc(none) audit(all(read))
              setr raclist(@LINUX) refresh

       Resources always match the single profile with the best match.

       There are many other ways to define logging in RACF. Please refer to the server  documentation  for  more
       details.

Name

       audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin

Options

       config-file
              Use an alternate configuration file instead of /etc/audit/zos-remote.conf.

See Also

auditd(8), zos-remote.conf(5).

Signals

audispd-zos-remote reacts to SIGTERM and SIGHUP signals (according to the auditd(8) specification):

       SIGHUP Instructs the audispd-zos-remote plugin to re-read it's configuration and flush  existing  network
              connections.

       SIGTERM
              Performs  a  clean exit.  audispd-zos-remote will wait up to 10 seconds if there are queued events
              to be delivered, dropping any remaining queued events after that time.

Smf Mapping

       The  ITDS  Remote  Audit  service  will  cut  SMF  records of type 83 subtype 4 every time it processes a
       request. This plugin will issue a remote audit request for every incoming  Linux  Audit  record  (meaning
       that one Linux record will map to one SMF record), and fill this type's records with the following:

   LinkValue
       The  Linux  event serial number, encoded in network-byte order hexadecimal representation. Records within
       the same Event share the same Link Value.

   Violation
       Always zero (0) - FalseEventCode
       Always two (2) - Authorization event

   EventQualifier
       Zero (0) - Success, if the event reported success=yes or res=success, Three (3)  -  Fail,  if  the  event
       reported success=no or res=failed, or One (1) - Info otherwise.

   Class
       Always @LINUXResource
       The Linux record type for the processed record. e.g.: SYSCALL,AVC,PATH,CWD etc.

   LogString
       Textual  message  bringing  the RACF user ID used to perform the request, plus the Linux hostname and the
       record type for the first record in the processed event. e.g.: RemoteauditrequestfromRACFUSER.Linux(hostname.localdomain):USER_AUTHDataFieldList
       Also known as relocates, this list will bring all the field names and values in a fieldname=value format,
       as a type 114 (ApplicationspecificData) relocate. The plug-in will try to interpret those fields (i.e.:
       use  human-readable  username root instead of numeric userid 0) whenever possible. Currently, this plugin
       will also add a relocate type 113 (DateAndTimeSecurityEventOccurred) with the Event Timestamp in the
       format as returned by ctime(3).

Synopsis

audispd-zos-remote[config-file]

See Also