audispd-zos-remote(8) — Linux manual page


AUDISPD...-REMOTE(8) System Administration UtilitiesAUDISPD...-REMOTE(8)

NAME         top

       audispd-zos-remote - z/OS Remote-services Audit dispatcher plugin

SYNOPSIS         top

       audispd-zos-remote [ config-file ]

DESCRIPTION         top

       audispd-zos-remote is a remote-auditing plugin for the Audit
       subsystem. It should be started by the auditd(8) daemon and will
       forward all incoming audit events, as they happen, to a
       configured z/OS SMF (Service Management Facility) database,
       through an IBM Tivoli Directory Server (ITDS) set for Remote
       Audit service.  See SMF MAPPING section below for more
       information about the resulting SMF record format.

       auditd(8) must be configured to start the plugin. This is done by
       a configuration file usually located at
       /etc/audit/plugins.d/audispd-zos-remote.conf, but multiple
       instances can be spawned by having multiple configuration files
       in /etc/audit/plugins.d for the same plugin executable (see

       Each instance needs a configuration file, located by default at
       /etc/audit/zos-remote.conf.  Check zos-remote.conf(5) for details
       about the plugin configuration.

OPTIONS         top

              Use an alternate configuration file instead of

SIGNALS         top

       audispd-zos-remote reacts to SIGTERM and SIGHUP signals
       (according to the auditd(8) specification):

       SIGHUP Instructs the audispd-zos-remote plugin to re-read it's
              configuration and flush existing network connections.

              Performs a clean exit.  audispd-zos-remote will wait up to
              10 seconds if there are queued events to be delivered,
              dropping any remaining queued events after that time.

IBM z/OS ITDS Server and RACF configuration         top

       In order to use this plugin, you must have an IBM z/OS v1R8 (or
       higher) server with IBM Tivoli Directory Server (ITDS) configured
       for Remote Audit service. For more detailed information about how
       to configure the z/OS server for Remote Auditing, refer to z/OS
       V1R8.0-9.0 Integrated Security Services Enterprise Identity
       Mapping (EIM) Guide and Reference
       ( ),
       chapter "2.0 - Working with remote services".

   Enable ITDS to process Remote Audit requests
       To enable ITSD to process Remote Audit requests, the user ID
       associated with ITDS must be granted READ access to the
       IRR.AUDITX FACILITY Class profile (the profile used to protect
       the R_Auditx service). This user ID can usually be found in the
       STARTED Class profile for the ITDS started procedure. If the
       identity associated with ITDS is ITDSUSER, the administrator can
       configure RACF to grant Remote Auditing processing to ITDS with
       the following TSO commands:

       TSO Commands: Grant ITDSUSER READ access to IRR.AUDITX FACILITY
       Class profile
              rdefine FACILITY IRR.RAUDITX uacc(none)
              permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ)

   Create/enable RACF user ID to perform Remote Audit requests
       A z/OS RACF user ID is needed by the plugin - Every Audit request
       performed by the plugin will use a RACF user ID, as configured in
       the plugin configuration zos-remote.conf(5).  This user ID needs
       READ access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If
       the user ID is BINDUSER, the administrator can configure RACF to
       enable this user to perform Remote Auditing requests with the
       following TSO commands:

       TSO Commands: Enable BINDUSER to perform Remote Audit requests
              rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none)
              permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ)

   Add @LINUX Class to RACF
       When performing remote auditing requests, the audispd-zos-remote
       plugin will use the special @LINUX CDT Class and the audit record
       type (eg.: SYSCALL, AVC, PATH...)  as the CDT Resource Class for
       all events processed.  To make sure events are logged, the RACF
       server must be configured with a Dynamic CDT Class named @LINUX
       with correct sizes and attributes. The following TSO commands can
       be used to add this class:

       TSO Commands: Add @LINUX CDT Class
              rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246))
              setr classact(cdt)
              setr raclist(cdt)
              setr raclist(cdt) refresh
              setr classact(@LINUX)
              setr raclist(@LINUX)
              setr generic(@LINUX)

   Add profiles to the @LINUX Class
       Once the CDT Class has been defined, you can add profiles to it,
       specifying resources (wildcards allowed) to log or ignore. The
       following are examples:

       TSO Commands: Log only AVC records (One generic and one discrete
              rdefine @LINUX * uacc(none) audit(none(read))
              rdefine @LINUX AVC uacc(none) audit(all(read))
              setr raclist(@LINUX) refresh

       TSO Commands: Log everything (One generic profile):
              rdefine @LINUX * uacc(none) audit(all(read))
              setr raclist(@LINUX) refresh

       Resources always match the single profile with the best match.

       There are many other ways to define logging in RACF. Please refer
       to the server documentation for more details.

SMF Mapping         top

       The ITDS Remote Audit service will cut SMF records of type 83
       subtype 4 every time it processes a request. This plugin will
       issue a remote audit request for every incoming Linux Audit
       record (meaning that one Linux record will map to one SMF
       record), and fill this type's records with the following:

   Link Value
       The Linux event serial number, encoded in network-byte order
       hexadecimal representation. Records within the same Event share
       the same Link Value.

       Always zero (0) - False

   Event Code
       Always two (2) - Authorization event

   Event Qualifier
       Zero (0) - Success, if the event reported success=yes or
       res=success, Three (3) - Fail, if the event reported success=no
       or res=failed, or One (1) - Info otherwise.

       Always @LINUX

       The Linux record type for the processed record. e.g.:

   Log String
       Textual message bringing the RACF user ID used to perform the
       request, plus the Linux hostname and the record type for the
       first record in the processed event. e.g.: Remote audit request
       from RACFUSER. Linux (hostname.localdomain):USER_AUTH

   Data Field List
       Also known as relocates, this list will bring all the field names
       and values in a fieldname=value format, as a type 114
       (Application specific Data) relocate. The plug-in will try to
       interpret those fields (i.e.: use human-readable username root
       instead of numeric userid 0) whenever possible. Currently, this
       plugin will also add a relocate type 113 (Date And Time Security
       Event Occurred) with the Event Timestamp in the format as
       returned by ctime(3).

ERRORS         top

       Errors and warnings are reported to syslog (under DAEMON
       facility). In situations where the event was submitted but the
       z/OS server returned an error condition, the logged message
       brings a name followed by a human-readable description. Below are
       some common errors conditions:

       NOTREQ - No logging required
              Resource (audit record type) is not set to be logged in
              the RACF server - The @LINUX Class profile governing this
              audit record type is set to ignore. See IBM z/OS RACF
              Server configuration

       UNDETERMINED - Undetermined result
              No profile found for specified resource. There is no
              @LINUX Class configured or no @LINUX Class profile
              associated with this audit record type. See IBM z/OS RACF
              Server configuration

       UNAUTHORIZED - The user does not have authority the R_auditx
              The user ID associated with the ITDS doesn't have READ
              access to the IRR.AUDITX FACILITY Class profile. See IBM
              z/OS RACF Server configuration

       UNSUF_AUTH - The user has insufficient authority for the
       requested function
              The RACF user ID used to perform Remote Audit requests (as
              configured in zos-remote.conf(5)) don't have access to the
              IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See IBM z/OS
              RACF Server configuration

BUGS         top

       The plugin currently does remote auditing in a best-effort basis,
       and will discard events in case the z/OS server cannot be
       contacted (network failures) or in any other case that event
       submission fails.

FILES         top


SEE ALSO         top

       auditd(8), zos-remote.conf(5).

AUTHOR         top

       Klaus Heinrich Kiwi <>

COLOPHON         top

       This page is part of the audit (Linux Audit) project.
       Information about the project can be found at 
       ⟨⟩.  If you have a bug
       report for this manual page, send it to
       This page was obtained from the project's upstream Git repository
       ⟨⟩ on
       2023-12-22.  (At that time, the date of the most recent commit
       that was found in the repository was 2023-11-30.)  If you
       discover any rendering problems in this HTML version of the page,
       or you believe there is a better or more up-to-date source for
       the page, or you have corrections or improvements to the
       information in this COLOPHON (which is not part of the original
       manual page), send a mail to

IBM                             Oct 2007            AUDISPD...-REMOTE(8)

Pages that refer to this page: zos-remote.conf(5)