Tectia

SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 writes SMF records for failed login attempts. The sft-server-g3 subsystem writes SMF records for the following events:

  • Download a file (retrieve)

  • Upload a file (store)

  • Append data to a file

  • Rename a file

  • Delete a file

scpg3 and sftpg3 clients write SMF records for the following events:

  • Download to local file (store)

  • Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in server's configuration (/opt/tectia/etc/sshd2_config):

SftpSmfType    TYPE119

For scpg3 and sftpg3 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The following SMF record types are available:

  • TYPE119

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776- 07, chapter "Syslog daemon".

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

  • The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.

  • Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scpg3, and sftpg3 can create SMF records for file transfers.

Give these commands to set up the permissions:

RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scpg3, and sftpg3 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

  • K (0xD2) - public-key authentication

  • H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scpg3 and sftpg3.