This topic applies only on the z/OS operating system.

Configuring the SMF audit service providers for security auditing

The audit service provider is used to format the audit data object that was sent by the audit event factory. For z/OS® systems you can choose to use the SMF emitter implementation to output audit records to the Service Management Framework (SMF) as SMF Type 83 Subtype 5 Relocates.

Before you begin

Before configuring the audit service provider, enable global security in your environment. SMF recording must be enabled at the operating system level before configuring the SMF audit service provider to be used. If SMF recording is off and a SMF audit service provider implementation is used, then audit records are not logged to SMF and no warning is presented to alert you that the records are not being recorded.

About this task

This task configures the audit service provider used to record generated audit records.

Procedure

  1. Click Security > Security Auditing > Audit service provider .
  2. Click New and then select SMF emitter.
  3. Enter the unique name that should be associated with this audit service provider in the Name field.
  4. Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.
    1. Select the filters that should be audited from the Selectable filter list.
    2. Click Add >> to add the selected event type filters to the Enabled filter list.
  5. Click Apply.

Results

After completing these steps, your audit data will be sent to the specified repository in the format required by that repository when an audit event factory is associated with this audit service provider

What to do next

After creating an audit service provider, the audit service provider must be associated with an audit event factory that will provide the audit data objects to the audit service provider. Next you should configure an audit event factory.

Audit records emitted to SMF may be read using the SMF Unload utility. See the z/OS Internet Library for more information about the SMF Unload utility

[Fix Pack 13 or later] You can specify the com.ibm.audit.field.length.limit custom property to set the length at which variable-length audit data is truncated. For more information, see the documentation about the security custom properties.




In this information ...


IBM Redbooks, demos, education, and more

(Index)

Use IBM Suggests to retrieve related content from ibm.com and beyond, identified for your convenience.

This feature requires Internet access.

Task topic    

Terms of Use | Feedback

Last updated: Oct 21, 2010 10:04:34 PM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=tsec_sa_config_asp_smf
File name: tsec_sa_config_asp_smf.html