Using System Management Facilities (SMF) for audit logging

If you intend to use SMF for audit logging, you must do the following:

  • Select an SMF record number between 128 and 255 for the audit log records, and include it in your SMF parmlib member SMFPRMxx.
  • Specify this SMF record number in one of these locations:
    • The FMN0POPI macro for the appropriate FMNxPOPT module. (See Note 1).
    • The FMNxPARM member in SYS1.PARMLIB, or other library in the logical PARMLIB concatenation. (See Note 2).
  • Ensure that the load module FMNSMF is APF-authorized. You can make FMNSMF APF-authorized either by authorizing the load library, FMN.SFMNMOD1, or by copying FMNSMF to another authorized library. For more information about authorizing FMN.SFMNMOD1, see Running File Manager with APF-authorization.
  • Add the load module FMNSMF to the AUTHTSF list in member IKJTSOxx in SYS1.PARMLIB. If you do not do this, even if you have selected to record to SMF and you have specified an SMF record number, no recording is done.
Note:
  1. Each File Manager component has a customization module:
    FMN0POPT
    For File Manager Base component
    FMN1POPT
    For FM/IMS
    FMN2POPT
    For FM/Db2
    FMN3POPT
    For FM/CICS

    All the customization modules include an FMN0POPI macro specification, which is described in File Manager options. The SMF record number is specified using the SMFNO parameter of the FMN0POPI macro. See SMFNO. You should specify the SMF record number in the FMNxPOPT member when you are using FMNxPOPT controlled auditing, or SAF-controlled auditing without the use of a member in SYS1.PARMLIB.

  2. Auditing for each File Manager component can be controlled using a member in SYS1.PARMLIB, or other library in the logical PARMLIB concatenation. The member names for each component are:


    FMN0PARM  For File Manager Base component
    FMN1PARM  For FM/IMS
    FMN2PARM  For FM/Db2
    FMN3PARM  For FM/CICS

    Specify the SMF record number in the FMNxPARM member when you are using SAF-controlled auditing and a member in SYS1.PARMLIB.

If File Manager was previously customized to use the BPX1SMF service, consider removing access to SAF FACILITY class profile BPX.SMF from all users to be audited.

To activate any changes you have made to SYS1.PARMLIB members, either restart your system, or use the appropriate commands for your site to dynamically activate the changes.

For more information about SMF, see z/OS MVS System Management Facilities (SMF).

To report on the audit trail information collected by SMF, you must extract this information from SMF to your own data set. The information in this data set can then be printed by the File Manager Print Audit Trail utility. To do this select the Audit trail option from the Utilities menu.

A sample job, FMNSMFX, is provided in FMN.SFMNSAM1 to help you extract the SMF data to your own data set. See the comments in the job for information about changes you need to make to the job. The sample job can be used to extract audit log records for all File Manager components (Base, FM/Db2, FM/IMS, and FM/CICS). The logon ID used to run the sample job must have read access to the SYS1.MANx data sets to run successfully.