[z/OS]

Configuring the SMF audit service providers for security auditing

The audit service provider is used to format the audit data object that was sent by the audit event factory. For z/OS® systems you can choose to use the SMF emitter implementation to output audit records to the Service Management Framework (SMF) as SMF Type 83 Subtype 5 Relocates.

Before you begin

Before configuring the audit service provider, enable global security in your environment. SMF recording must be enabled at the operating system level before configuring the SMF audit service provider to be used. If SMF recording is off and a SMF audit service provider implementation is used, then audit records are not logged to SMF and no warning is presented to alert you that the records are not being recorded.

About this task

This task configures the audit service provider used to record generated audit records.

Procedure

  1. Click Security > Security Auditing > Audit service provider.
  2. Click New and then select SMF emitter.
  3. Enter the unique name that should be associated with this audit service provider in the Name field.
  4. Select the filters to be used by this audit service provider. The Selectable filter list consists of a list of the configured filters that have been configured and are currently enabled.
    1. Select the filters that should be audited from the Selectable filter list.
    2. Click Add >> to add the selected event type filters to the Enabled filter list.
  5. Click Apply.

Results

After completing these steps, your audit data will be sent to the specified repository in the format required by that repository when an audit event factory is associated with this audit service provider

What to do next

After creating an audit service provider, the audit service provider must be associated with an audit event factory that will provide the audit data objects to the audit service provider. Next you should configure an audit event factory.

Audit records emitted to SMF may be read using the SMF Unload utility. See the z/OS Internet Library for more information about the SMF Unload utility.

You can specify the com.ibm.audit.field.length.limit custom property to set the length at which variable-length audit data is truncated. For more information, see the documentation about the security custom properties.


指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:17
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_sa_config_asp_smf
檔名:tsec_sa_config_asp_smf.html