SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 writes SMF records for failed login attempts. The sft-server-g3 subsystem writes SMF records for the following events:

Download a file (retrieve)
Upload a file (store)
Append data to a file
Rename a file
Delete a file

scpg3 and sftpg3 clients write SMF records for the following events:

Download to local file (store)
Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in the server configuration (/opt/tectia/etc/sshd2_config):

SftpSmfType    TYPE119

For the scpg3 and sftpg3 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The only available SMF record type is TYPE119.

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776- 07, chapter "Syslog daemon".

	Note
	If you intend to use OpenSSH SCP with Tectia Server for IBM z/OS, note that the default OpenSSH configuration on z/OS does not produce SMF records. SMF recording must be configured separately for OpenSSH when the OpenSSH SCP events need to be captured.

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.
Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scpg3, and sftpg3 can create SMF records for file transfers.

Give the following commands to set up the permissions:

RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scpg3, and sftpg3 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

K (0xD2) - public-key authentication
H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scpg3 and sftpg3.