System Management Facilities (SMF) collect data for auditing. sshd2 writes SMF records for failed login attempts. The sft-server-g3 subsystem writes SMF records for the following events:
Download a file (retrieve)
Upload a file (store)
Append data to a file
Rename a file
Delete a file
The scpg3 and sftpg3 clients write SMF records for the following events:
Download to local file (store)
Upload local file (retrieve)
The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the
SftpSmfType option in server's configuration (
For the scpg3 and sftpg3 clients the SMF record type can be defined in the
SSH_SFTP_SMF_TYPE environment variable. The only available SMF record type is
Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776- 07, chapter "Syslog daemon".
If you intend to use OpenSSH SCP with Tectia Server for IBM z/OS, note that the default OpenSSH configuration on z/OS does not produce SMF records. SMF recording must be configured separately for OpenSSH when the OpenSSH SCP events need to be captured.
The caller of the SMF service must be permitted to the
BPX.SMF facility class profile:
SSHD2user must be permitted to the
BPX.SMFfacility class profile so that sshd2 can create SMF records for users logging in and out.
Each user that can transfer files must be permitted to the
BPX.SMFfacility class profile so that sft-server-g3, scpg3, and sftpg3 can create SMF records for file transfers.
Give the following commands to set up the permissions:
RDEFINE FACILITY BPX.SMF UACC(NONE) PERMIT BPX.SMF CLASS(FACILITY) ID(SSHD2) ACCESS(READ) SETROPTS RACLIST(FACILITY) REFRESH
All SMF records produced by sshd2, sft-server-g3, scpg3, and sftpg3 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.
New values are used for
SMF119FT_FSLoginMech in the FTP server security section and for
SMF119FT_FFLoginMech in the FTP server login failure security section:
K (0xD2)- public-key authentication
H (0xC8)- host-based authentication.
In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value
SSHS is used in sshd2,
SFTPS is used in sft-server-g3, and
SFTPC is used in file transfer clients scpg3 and sftpg3.