Your browser does not allow storing cookies. We recommend enabling them.


SMF Auditing

System Management Facilities (SMF) collect data for auditing. sshd2 writes SMF records for failed login attempts. The sft-server-g3 subsystem writes SMF records for the following events:

  • Download a file (retrieve)

  • Upload a file (store)

  • Append data to a file

  • Rename a file

  • Delete a file

scpg3 and sftpg3 clients write SMF records for the following events:

  • Download to local file (store)

  • Upload local file (retrieve)

The SMF record type for the sshd2 server and the sft-server-g3 subsystem can be defined with the SftpSmfType option in the server configuration (/opt/tectia/etc/sshd2_config):

SftpSmfType    TYPE119

For the scpg3 and sftpg3 clients the SMF record type can be defined in the SSH_SFTP_SMF_TYPE environment variable. The only available SMF record type is TYPE119.

Note that it is also possible to route syslog daemon messages to be stored in SMF record type 109. For details, see the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776- 07, chapter "Syslog daemon".


If you intend to use OpenSSH SCP with Tectia Server for IBM z/OS, note that the default OpenSSH configuration on z/OS does not produce SMF records. SMF recording must be configured separately for OpenSSH when the OpenSSH SCP events need to be captured.

Required Permissions for SMF Records

The caller of the SMF service must be permitted to the BPX.SMF facility class profile:

  • The SSHD2 user must be permitted to the BPX.SMF facility class profile so that sshd2 can create SMF records for users logging in and out.

  • Each user that can transfer files must be permitted to the BPX.SMF facility class profile so that sft-server-g3, scpg3, and sftpg3 can create SMF records for file transfers.

Give the following commands to set up the permissions:


Changes in SMF TYPE119 Messages

All SMF records produced by sshd2, sft-server-g3, scpg3, and sftpg3 are based on SMF type 119 record format described in the IBM document z/OS V1R6.0 CS: IP Configuration Reference, SC31-8776-07. Only subtypes 70 (FTP server transfer completion record), 72 (FTP server logon failure record), and 3 (FTP client transfer completion record) are used.

New values are used for SMF119FT_FSLoginMech in the FTP server security section and for SMF119FT_FFLoginMech in the FTP server login failure security section:

  • K (0xD2) - public-key authentication

  • H (0xC8) - host-based authentication.

In common TCP/IP identification section, new TCP/IP subcomponent values are used to distinguish the SFTP server and client from the FTP server and client. Value SSHS is used in sshd2, SFTPS is used in sft-server-g3, and SFTPC is used in file transfer clients scpg3 and sftpg3.


Highlights from the SSH.COM blog:

  • Cryptomining with the SSH protocol: what big enterprises need to know about it

    Cryptomining malware is primarily thought of as targeting desktops and laptops and is used to hijack system resources to mine cryptocurrency.
    Read more
  • SLAM the door shut on traditional privileged access management

    Did you know that something as trivial-sounding as granting access for your developers or third parties to a product development environment can throw a gorilla-sized monkey wrench into your operations and productivity?
    Read more
  • We broke the IT security perimeter

    Everyone understands the concept of a security perimeter. You only gain access if you are identified and authorized to do so.
    Read more