SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 writes SMF records for failed login attempts. The sft-server-g3 subsystem writes SMF records for the following events:

Download a file (retrieve)
Upload a file (store)
Append data to a file
Rename a file
Delete a file

scpg3 and sftpg3 clients write SMF records for the following events:

Download to local file (store)
Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in server's configuration (/opt/tectia/etc/sshd2_config):

SftpSmfType    TYPE119

For scpg3 and sftpg3 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The following SMF record types are available:

TYPE119

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776- 07, chapter "Syslog daemon".

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.
Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scpg3, and sftpg3 can create SMF records for file transfers.

Give these commands to set up the permissions:

RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scpg3, and sftpg3 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

K (0xD2) - public-key authentication
H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scpg3 and sftpg3.