Using System Management Facilities (SMF) for audit logging
If you intend to use SMF for audit logging, you must do the following:
- Select an SMF record number between 128 and 255 for the audit log records, and include it in your SMF parmlib member SMFPRMxx.
- Specify this SMF record number in one of these locations:
- The FMN0POPI macro for the appropriate FMNxPOPT module. (See Note 1).
- The FMNxPARM member in SYS1.PARMLIB, or other library in the logical PARMLIB concatenation. (See Note 2).
- Ensure that the load module FMNSMF is APF-authorized. You can make FMNSMF APF-authorized either by authorizing the load library, FMN.SFMNMOD1, or by copying FMNSMF to another authorized library. For more information about authorizing FMN.SFMNMOD1, see Running File Manager with APF-authorization.
- Add the load module FMNSMF to the AUTHTSF list in member IKJTSOxx in SYS1.PARMLIB. If you do not do this, even if you have selected to record to SMF and you have specified an SMF record number, no recording is done.
- Each File Manager component has a customization module:
- FMN0POPT
- For File Manager Base component
- FMN1POPT
- For FM/IMS
- FMN2POPT
- For FM/Db2
- FMN3POPT
- For FM/CICS
All the customization modules include an FMN0POPI macro specification, which is described in File Manager options. The SMF record number is specified using the SMFNO parameter of the FMN0POPI macro. See SMFNO. You should specify the SMF record number in the FMNxPOPT member when you are using FMNxPOPT controlled auditing, or SAF-controlled auditing without the use of a member in SYS1.PARMLIB.
- Auditing for each File Manager component can be controlled using a member in
SYS1.PARMLIB, or other library in the logical PARMLIB concatenation. The member names for each component are:
FMN0PARM For File Manager Base component FMN1PARM For FM/IMS FMN2PARM For FM/Db2 FMN3PARM For FM/CICS
Specify the SMF record number in the FMNxPARM member when you are using SAF-controlled auditing and a member in SYS1.PARMLIB.
If File Manager was previously customized to use the BPX1SMF service, consider removing access to SAF FACILITY class profile BPX.SMF from all users to be audited.
To activate any changes you have made to SYS1.PARMLIB members, either restart your system, or use the appropriate commands for your site to dynamically activate the changes.
For more information about SMF, see z/OS MVS System Management Facilities (SMF).
To report on the audit trail information collected by SMF, you
must extract this information from SMF to your own data set. The information
in this data set can then be printed by the File Manager Print Audit
Trail utility. To do this select the Audit trail
option from
the Utilities menu.
A sample job, FMNSMFX, is provided in FMN.SFMNSAM1 to help you extract the SMF data to your own data set. See the comments in the job for information about changes you need to make to the job. The sample job can be used to extract audit log records for all File Manager components (Base function, FM/Db2, FM/IMS, and FM/CICS). The logon ID used to run the sample job must have read access to the SYS1.MANx data sets to run successfully.