SMF Auditing
System Management Facilities (SMF) collect data for auditing.
sshd2
collects SMF records for failed login attempts. The
sft-server-g3
subsystem collects SMF records for the following
events:
- Download a file (retrieve)
- Upload a file (store)
- Append data to a file
- Rename a file
- Delete a file
scp2
and sftp2
clients collect SMF records for the
following events:
- Download to local file (store)
- Upload local file (retrieve)
The SMF record type for the sshd2
server and the
sft-server-g3
subsystem can be defined with the
SftpSmfType
option in server's configuration
(/etc/ssh2/sshd2_config
):
For scp2
and sftp2
clients the SMF record type can be
defined in the SSH_SFTP_SMF_TYPE
environment variable. The
following SMF record types are available:
Note that it is also possible to route syslog daemon messages to be stored
in SMF record type 109. For details, see the IBM document z/OS V1R6.0
CS: IP Configuration Reference, SC31-8776-07, chapter "Syslog daemon".
Required Permissions for SMF Records
The caller of the SMF service must be permitted to the BPX.SMF
facility class profile:
- The
SSHD2
user must be permitted to the BPX.SMF
facility class profile so that sshd2
can create SMF records for users
logging in and out.
- Each user that can transfer files must be permitted to the
BPX.SMF
facility class profile so that sft-server-g3
,
scp2
, and sftp2
can create SMF records for file
transfers.
Give these commands to set up the permissions:
RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH
Changes in SMF TYPE119 Messages
All SMF records produced by sshd2
, sft-server-g3
,
scp2
, and sftp2
are based on SMF type 119 record
format described in the IBM document z/OS V1R6.0 CS: IP Configuration
Reference, SC31-8776-07.
Only subtypes 70 (FTP server transfer completion record), 72 (FTP server
logon failure record), and 3 (FTP client transfer completion record) are
used.
New values are used for SMF119FT_FSLoginMech
in the FTP server
security section and for SMF119FT_FFLoginMech
in the FTP server
login failure security section:
-
K (0xD2)
- public-key authentication
-
H (0xC8)
- host-based authentication.
In common TCP/IP identification section, new TCP/IP subcomponent
values are used to distinguish the SFTP server and client from the FTP server
and client. Value SSHS
is used in sshd2
,
SFTPS
is used in sft-server-g3
, and SFTPC
is
used in file transfer clients scp2
and sftp2
.