Go to Home Page
Questions?
Call 1-800-572-5517
 
  Go to Home Page  
  See all products
  See price schedules
  See manuals, tutorials, articles
  Download a free 30-day trial
  See user testimonials
  About Pacific Systems Group
 
 
SMF Tools
  See SMF Record Layouts
  See Sample SMF Reports
  Learn How to Export SMF Data
  Download Free SMF Reporting Software (30 days)
 
One of the greatest SMF record parsing programming languages I've ever seen. Chief, Large Systems Services Branch, NIH
  Choose Spectrum Writer to add 4GL to your product
  Free 60-Page Book (PDF) - How to Make an SMF Report
Spectrum DCOLLECT Reporter - the 4GL DCOLLECT Report Writer.

Spectrum SMF Writer - the 4GL SMF Report Writer.

SMF Type 80 Record

This table shows the record layout for type 80 SMF records
(Security Product (RACF) Processing - z/OS 1.10).

List of other SMF record layouts available.
List of sample SMF reports.

Purpose: RACF writes record type 80 for the following detected events:

• Unauthorized attempts to enter the system. For example, during RACF processing of a RACROUTE REQUEST=VERIFY macro instruction, RACF found that a RACF-defined user either (1) has supplied an invalid password, OIDCARD, or group name, (2) is not authorized access to the terminal, or (3) had insufficient security label authority.
RACF always writes this violation record when it detects the unauthorized attempt; this violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

• Authorized attempts to enter the system. RACF provides a RACROUTE REQUEST=VERIFY option to log successful signons and signoffs as well as ENVIR=CREATE or ENVIR=DELETE signons and signoffs. For the LOG keyword on the RACROUTE REQUEST=VERIFY macros, LOG=ALL or LOG=ASIS may be specified to control the generation of log records for RACROUTE REQUEST=VERIFY. The value of the LOG keyword is passed to both the RACROUTE REQUEST=VERIFY preprocessing and postprocessing installation exits. Both exits are invoked prior to the generation of a log record, and the LOG keyword value can be changed for both exits.

• Authorized accesses or unauthorized attempts to access RACF-protected resources. During RACF processing of a RACROUTE REQUEST=AUTH or REQUEST=DEFINE macro instruction, RACF found that one of the following events occurred:

1. The user was permitted access to a RACF-protected resource and allowed to perform the requested operation.

2. The user did not have sufficient access or group authority to access a RACF-protected resource, or supplied invalid data while attempting to perform an operation on a RACF-protected resource.

In the first case, RACF writes the record if the ALL or SUCCESS logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command and the access type is within the scope of the valid access types. RACF also writes the record if logging has been unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine.

In the second case, RACF writes the violation record if the ALL or FAILURES logging option is set in the resource profile by the ADDSD, ALTDSD, RALTER, or RDEFINE command, or if logging is unconditionally requested by a RACROUTE REQUEST=AUTH postprocessing exit routine. The violation record supplements the information that RACF sends to the security console in RACF message ICH408I.

Note that the FAILURES (READ) option is the default in cases where new resources are RACF-protected.

For the preceding events, a RACROUTE REQUEST=AUTH exit routine can modify the logging options by changing the LOG parameter on a RACROUTE REQUEST=AUTH macro instruction from ASIS to NOFAIL, NONE, or NOSTAT, or by unconditionally requesting or suppressing logging with the logging control field. For information on the LOG parameter of a RACROUTE REQUEST=AUTH macro instruction, see z/OS Security Server RACROUTE Macro Reference. For information on the logging options of the ADDSD, ALTDSD, ALTUSER, RALTER, RDEFINE, and SETROPTS commands, see z/OS Security Server RACF Command Language Reference.

• Authorized or unauthorized attempts to modify profiles on a RACF database. During RACF command processing, RACF found that a user with the AUDITOR attribute specified that the following be logged:

1. All detected changes to a RACF database by RACF commands or a RACROUTE REQUEST=DEFINE

2. All RACF commands (except LISTDSD, LISTGRP, LISTUSER, RLIST, and SEARCH) issued by users with the SPECIAL attribute

3. All violations detected by RACF commands (except LISTGRP, LISTUSER, RLIST, and SEARCH)

4. Every RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE issued for the user and all RACF commands (except LISTGRP, LISTUSER, RLIST and SEARCH) issued by the user

In the first three cases, RACF writes records if a user with the AUDITOR attribute specified AUDIT, SAUDIT, and CMDVIOL, respectively, on the SETROPTS command. In the fourth case, RACF writes the records if a user with the AUDITOR attribute specified UAUDIT on the ALTUSER command.

You can use SMF records to:

  • Track the total use of a sensitive resource (if the ALL option is set)
  • Identify the resources that are repeated targets of detected unauthorized attempts to access them (if the ALL or FAILURES option is set)
  • Identify the users who make detected unauthorized requests
  • Track SPECIAL user activity
  • Track activity of a particular userIn most cases, RACF writes one record for each event. (RACF can write two records for one operation on a resource — for example, when a RACF-protected DASD data set is deleted with scratch.)

SMF record 80 contains the following information:

  • The record type
  • Time stamp (time and date)
  • Processor identification
  • Event code and qualifier (explained in Table 1)
  • User identification
  • Group name
  • A count of the relocate sections
  • Authorities used to successfully execute commands or access resources
  • Reasons for logging
  • Command processing error flag
  • Foreground user terminal ID
  • Foreground user terminal level number
  • Job log number (job name, entry time, and date)
  • RACF version, release and modification number
  • Security label of user(The data in a relocate section is explained in “Table of relocate section variable data” on page 56 and “Table of data type 6 command-related data” on page 71.)

The log record RACF creates is a standard type 80 SMF record.

It's easy to report on SMF 80 data! (Jump to sample reports)

SMF Spectrum Writer
We have a low-cost 4GL report writer especially for SMF files. It's called Spectrum SMF Writer.

Spectrum SMF Writer handles the difficult SMF record parsing for you automatically. You just specify which fields you want to see.

Spectrum SMF Writer also converts the arcane date and time fields and reformats them into an attractive report.

Plus, Spectrum SMF Writer can export SMF data as comma delimited files to use on your PC.
 
Try It FREE Now!

SMF Type 80 Record -- Security Product (RACF) Processing - z/OS 1.10
Offset
(Dec.)
Offset
(Hex)
NameLengthFormatDescription
00SMF80LEN2binary
Record length. This field and the next field (total of four bytes) form the RDW (record descriptor word). See “Standard SMF Record Header” on page 13-1 for a detailed description.
22SMF80SEG2binary
Segment descriptor (see record length field).
44SMF80FLG1binary
System indicator: Bit Meaning When Set 0-2 Reserved 3-6 Version indicators* 7 Reserved.*See “Standard SMF Record Header” on page 13-1 for a detailed description.
55SMF80RTY1binary
Record type 80 (X'50').
66SMF80TME4binary
Time since midnight, in hundredths of a second, that the record was moved into the SMF buffer.
10ASMF80DTE4packed
Date when the record was moved into the SMF buffer, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description.
14ESMF80SID4EBCDIC
System identification (from the SID parameter).
1812SMF80DES2binary
Descriptor flags
Bit Meaning When Set
0 The event is a violation
1 User is not defined to RACF
2 Record contains a version indicator (see SMF80VER)
3 The event is a warning
4 Record contains a version, release, and modification level number (see SMF80VRM)
5-15 Reserved.
2014SMF80EVT1binary
Event code. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
2115SMF80EVQ1binary
Event code qualifier. For information about RACF event codes, see z/OS Security Server RACF Macros and Interfaces.
2216SMF80USR8EBCDIC
Identifier of the user associated with this event (jobname is used if the user is not defined to RACF).
301ESMF80GRP8EBCDIC
Group to which the user was connected (stepname is used if the user is not defined to RACF).
3826SMF80REL2binary
Offset to the first relocate section from beginning of the record header.
4028SMF80CNT2binary
Count of the number of relocate sections.
422ASMF80ATH1binary
Authorities used for processing commands or accessing resources. These flags indicate the authority checks made for the user who requested the action. The RACF commands use bits 0, 1, and 3; the RACF requests use bits 0, 2, and 4-7.
Bit Meaning When Set
0 Normal authority check (resource access) Bit 0 indicates that the user’s authority to issue the command or SVC was determined by the checks for a user with the SPECIAL, OPERATIONS, or AUDITOR attribute. This bit indicates that the tests were made, not that the user passed the tests and has authority to issue the command. This bit is not set on if the user has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute.
1 SPECIAL attribute (command processing) Bit 1 indicates that the user has the SPECIAL attribute and used this authority to issue the command. If the user also has the AUDITOR attribute and entered the command with only those operands that require the AUDITOR attribute, this bit is not set on because the user did not use his authority as a user with the SPECIAL attribute.
2 OPERATIONS attribute (resource access, command processing Bit 2 is set by RACROUTE REQUEST=AUTH and RACROUTE REQUEST=DEFINE and indicates that the user has the OPERATIONS attribute and used this authority to obtain access to the resource.
3 AUDITOR attribute (command processing) Bit 3 indicates that the user has the AUDITOR attribute and used this authority to issue the command with operands that require the AUDITOR attribute.
4 Installation exit processing (resource access) Bit 4 indicates that the user has authority because the exit routine indicated that the request is to be accepted without any further authority checks.
5 Failsoft processing (resource access) Bit 5 indicates that resource access was granted by the operator during failsoft processing.
6 Bypassed-userid = *BYPASS* (resource access) Bit 6 indicates that *BYPASS* was specified on the user ID field. Access was granted because RACF authority checking was bypassed.
7 Trusted attribute (resource access). Bit 7 indicates that the user has the trusted attribute.
432BSMF80REA1binary
Reason for logging. These flags indicate the reason RACF produced the SMF record
Bit Meaning When Set
0 SETROPTS AUDIT(class) - changes to this class of profile are being audited. Bit 0 is set when there are changes made to a profile in a class specified in the AUDIT operand of the SETROPTS command.
1 User being audited Bit 1 is set when a user with the AUDITOR attribute specifies the UAUDIT operand on the ALTUSER command for a user and the user has changed RACF profiles with a RACF command, or a RACROUTE REQUEST=AUTH or RACROUTE REQUEST=DEFINE has been issued for the user.
2 SPECIAL users being audited Bit 2 is set when a user with the AUDITOR attribute specifies the SAUDIT operand on the SETROPTS command and a user with the SPECIAL attribute has changed RACF profiles with a RACF command. However, if a user has both the SPECIAL and AUDITOR attributes and issues a command with operands that require only the AUDITOR attribute, RACF does not log this activity because SPECIAL authority was not used.
3 Access to the resource is being audited due to the AUDIT option (specified when profile created or altered by a RACF command), a logging request from the RACHECK exit routine, or because the operator granted access during failsoft processing.
Bit 3 is set if:
  • The AUDIT option in the resource profile specifies that attempts to access the resource be logged.
  • The RACROUTE REQUEST=AUTH exit routine specifies unconditional logging.
  • The console operator grants the resource access during failsoft processing.

4 RACINIT failure Bit 4 is set when the RACROUTE REQUEST=VERIFY fails to verify a user because of an invalid group, password, terminal, or OIDCARD, or initACEE fails because a certificate in not defined or is not trusted.
5 This command is always audited Bit 5 is set if the RVARY or SETROPTS command produced the SMF record. (The execution of these two commands always produce an SMF record.)
6 Violation detected in command and CMDVIOL is in effect Bit 6 is set when a user with the AUDITOR attribute specifies logging of command violations (with the CMDVIOL operand on the SETROPTS command) and RACF detects a violation.
7 Access to entity being audited due to GLOBALAUDIT option. Bit 7 is set when attempts to access a RACF-protected resource are being logged, as requested by the GLOBALAUDIT option in the resource profile.
442CSMF80TLV1binary
Terminal level number of foreground user (zero if not available).
452DSMF80ERR1binary
Command processing error flag. These flags indicate errors during command processing and the extent of the processing.
Bit Meaning When Set
0 Command had error and RACF could not back out some changes Bit 0 indicates that an error occurred that prevented the command from completing all updates requested, and the command was unable to back out the updates already done. If this bit is on, there may be an inconsistency between the profiles on the RACF database, or between the profile for a data set and the RACF-indicator for the data set in the DSCB or catalog. The latter is also indicated by a bit in the command-related information for the ADDSD, ALTDSD, and DELDSD commands. For some commands (for example, ADDUSER), the inconsistency means an incompletely defined resource. For other commands, where the profiles are already defined (for example, ALTUSER), the inconsistency means that all changes were not made, but the profiles are still usable.
This bit indicates a terminating error and should not be confused with a keyword violation or processing error where the command continues processing other operands.
1 No profile updates were made because of error in RACF processing Bit 1 indicates that none of the requested changes were made, because either (1) a terminating error occurred before the changes were made, or (2) the command was able to back out the changes after a terminating error.
2-7 Reserved.
462ESMF80TRM8EBCDIC
Terminal ID of foreground user (zero if not available).
5436SMF80JBN8EBCDIC
Job name. For RACINIT records for batch jobs, this field can be zero. The job name, time, and date that the reader recognized the JOB card (for this job) constitute the job log identification, or transaction name (for APPC output).
623ESMF80RST4binary
Time since midnight, in hundredths of a second, that the reader recognized the JOB statement for this job. For RACINIT records for batch jobs, this field can be zero.
6642SMF80RSD4packed
Date the reader recognized the JOB statement for this job, in the form 0cyydddF. See “Standard SMF Record Header” on page 13-1 for a detailed description. For RACINIT records for batch jobs, this field can be zero.
7046SMF80UID8EBCDIC
User identification field from the SMF common exit parameter area. For RACINIT records for batch jobs, this field can be zero.
784ESMF80VER1binary
Version indicator (8 = Version 1, Release 8 or later). As of RACF 1.8.1, SMF80VRM is used instead.
794FSMF80RE21binary
Additional reasons for logging
Bit Meaning When Set
0 Security level control for auditing
1 VMEVENT Auditing
2 Class being audited due to SETROPTS LOGOPTIONS
3 Entity audited due to SETROPTS SECLABELAUDIT
4 Reserved.
5-7 Reserved.
8050SMF80VRM4EBCDIC
FMID for RACF
7709 z/OS Security Server (RACF) V1 R6
7720 z/OS Security Server (RACF) V1 R7
7730 z/OS Security Server (RACF) V1 R8
7740 z/OS Security Server (RACF) V1 R9
7750 z/OS Security Server (RACF) V1 R10
8454SMF80SEC8EBCDIC
Security label of the user.
925CSMF80RL22binary
Offset to extended-length relocate sections.
945ESMF80CT22binary
Count of extended-length relocate sections.
9660SMF80AU21binary
Authority used continued.
Bit Meaning When Set
0 OpenEdition superuser
1 OpenEdition system function
2-7 Reserved.
9761SMF80RSV1binary
Reserved.
Relocate Section
(Offset from beginning of record: SMF80REL)
00SMF80DTP1binary
Data type. For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
11SMF80DLN1binary
Length of data that follows.
22SMF80DTA255binary
For description of the variable data elements of the relocate section, see z/OS Security Server RACF Macros and Interfaces.
Extended-Length Relocate Section
(Offset from beginning of record: SMF80RL2)
00SMF80TP22binary
Data type.
22SMF80DL22binary
Length of data that follows.
44SMF80DA2300EBCDIC
Data.

The table above is based on the description provided by IBM in its "MVS Systems Management Facilities (SMF)" manual.

Sample RACF Event Report from SMF 80 Records


The sample SMF report below was created with Spectrum SMF Writer, the low-cost 4GL SMF report writer.

It reads as input the SMF file and selects just the type 80 (RACF Processing) records. (See SMF 80 record layout.)

We print a report showing each RACF processing event, with a description of what the event was, and the outcome. Note that the actual SMF record just contains codes for the event and its status. Our Spectrum SMF Writer definitions include code to expand those numeric values into descriptive texts.

Spectrum SMF Writer also uses a special exit to parse the variably formatted "relocation" fields at the end of the SMF 80 record. This lets us easily print such hard-to-access details as resource name (DSNAME), authority requested and authority allowed.

These events are grouped by unique JOB and printed in JOB/timestamp order.

All of this with just a few lines of code!
Why not install a Spectrum SMF Writer trial right now and start making your own SMF reports!

These Spectrum SMF Writer Statements:

INPUT:  SMF80

INCLUDEIF: SMF80RTY = 80

COLUMNS:
     SMF80JBN('JOBNAME')
     SMF80TME
     SMF80_EVENT_NAME(20 'SMF80 EVENT NAME')
     SMF80_EVENT_QUAL_DESC(18 'EVENT QUALIFIER')
     SMF80USR('USER')
     SMF80GRP('GROUP')
     SMF80DTA_1('RESOURCE|NAME' 16)
     SMF80DTA_3_WORD("AUTH|REQUEST")
     SMF80DTA_4_WORD("AUTH|ALLOWED")
     SMF80DTA_17('CLASS')

SORT:  SMF80_JOBID
BREAK: SMF80_JOBID NOTOTALS SPACE(1)

TITLE: #DATE #TIME /'RACF EVENT LOG BY JOB ON' SMF80DTE  / 'PAGE' #PAGE

 

Produce This SMF Report:

 07/04/13  4:53 AM                           RACF EVENT LOG BY JOB ON 07/24/06                                    PAGE  1
                                                      
                                                                                    RESOURCE       AUTH     AUTH
 JOBNAME   SMF80TME     SMF80 EVENT NAME    EVENT QUALIFIER     USER    GROUP         NAME        REQUEST  ALLOWED CLASS
 ________ ___________ ____________________ __________________ ________ ________ ________________ _________ _______ ______

 CICS3A8A 12:00:03.85 JOB INITIATION / TSO Successful RACINIT CICSUSER SYS1                      CONTROL   CONTROL

 GARRETY  11:52:12.95 RESOURCE ACCESS      Successful access  GARRETY  GEOTEAM  MVS.STOP.STC.WT4 UPDATE    CONTROL OPERCM
 GARRETY  11:52:18.39 RESOURCE ACCESS      Successful access  GARRETY  GEOTEAM  MVS.VARY.WLM

 IMSREPLY 11:30:01.32 RESOURCE ACCESS      Successful access  IMSUSER  SYS1     MVS.DISPLAY.R

 JES2     11:46:09.09 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM
 JES2     11:45:08.70 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM
 JES2     11:52:15.32 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.F UPDATE    ALTER   OPERCM

 NETX123  11:42:11.97 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.CONTROL.E
 NETX123  11:42:12.00 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.CONTROL.S
 NETX123  11:32:58.74 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.DISPLAY.CONS READ      ALTER   OPERCM
 NETX123  11:33:35.44 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.DISPLAY.OMVS READ      ALTER   OPERCM
 NETX123  11:56:35.35 RESOURCE ACCESS      Successful access  SETUP    SYS1     MVS.MODIFY.STC.Z UPDATE    ALTER   OPERCM

 USER031  11:30:10.60 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC
 USER031  11:30:10.60 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC
 USER031  11:30:26.92 CHECK ACCESS TO DIRE Not authorized     USER031  OEDFLTG                   CONTROL   CONTROL DIRACC

 USER048  11:36:19.20 CHECK ACCESS TO FILE Not authorized     USER048  OEDFLTG                   CONTROL   CONTROL FSOBJ

 USER097  11:30:39.32 CHECK ACCESS TO FILE Not authorized     USER097  OEDFLTG                   CONTROL   CONTROL FSOBJ

 XH4AMGS  11:47:18.81 JOB INITIATION / TSO Password not valid WITADM4  WITADMGP                  CONTROL   CONTROL

 XH7ADM   11:35:45.41 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:35:45.41 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:55:21.94 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:55:21.94 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:32:43.57 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC
 XH7ADM   11:32:43.57 DIRECTORY SEARCH     Not authorized     XH7ADM   WT6CFG                    CONTROL   CONTROL DIRSRC

...

See other sample SMF reports.

Copyright 2024.
Pacific Systems Group.
All rights reserved.


Spectrum Writer 4GL - the economical alternative to SAS, Easytrieve, DYL-280...

Home | Products | Prices | Documentation | 30-Day Trials | Customer Reviews | Company | FAQ | Sample Reports | SMF Records
Send Your Comments or Questions