SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server for IBM z/OS >>
    Getting Started with SSH Tectia Server for IBM z/OS >>
    Configuring the Server >>
        Server Configuration Files >>
        Subconfigurations >>
        Ciphers and MACs >>
        Configuring Root Logins
        Restricting User Logins
        Subsystems
        Auditing >>
            Configuring Logging in sshd2
            Logging SFTP Transactions
            SMF Auditing
        Securing the Server >>
        Default sshd2_config Configuration File
        Default ssh_certd_config Configuration File
    Configuring the Client >>
    Authentication >>
    File Transfer Using SFTP >>
    File Transfer Using Transparent FTP Tunneling >>
    Tunneling on the Command Line >>
    Troubleshooting SSH Tectia Server for IBM z/OS >>
    Advanced Information >>
    Man Pages >>
    Log Messages >>

SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 collects SMF records for failed login attempts. The sft-server-g3 subsystem collects SMF records for the following events:

  • Download a file (retrieve)
  • Upload a file (store)
  • Append data to a file
  • Rename a file
  • Delete a file

scp2 and sftp2 clients collect SMF records for the following events:

  • Download to local file (store)
  • Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in server's configuration (/etc/ssh2/sshd2_config):

SftpSmfType    TYPE119

For scp2 and sftp2 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The following SMF record types are available:

  • TYPE119

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07, chapter "Syslog daemon".

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

  • The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.
  • Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scp2, and sftp2 can create SMF records for file transfers.

Give these commands to set up the permissions:

RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scp2, and sftp2 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

  • K (0xD2) - public-key authentication
  • H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scp2 and sftp2.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2007 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice