What is the resource BPX.SMF Resource Class FACILITY used for and how would I code rules for it?
search cancel

What is the resource BPX.SMF Resource Class FACILITY used for and how would I code rules for it?

book

Article ID: 12743

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC PanApt PanAudit

Issue/Introduction



What is the resource BPX.SMF Resource Class FACILITY used for and how would I code rules for it?

Environment

Release:
Component: ACF2MS

Resolution

The resource rule FACILITY-BPX.SMF controls the ability to write SMF records from UNIX (OMVS) processes. ACF2 protects this resource by default.

IBM details on the BPX.SMF Facility class resource:

BPX.SMF or BPX.SMF.type.subtype

Permit user access to write an SMF record or to test if an SMF type or subtype is being recorded.

  • The BPX.SMF profile permits the a user the authority to write or test for any SMF record that is being recorded. The program-controlled attribute is not required if BPX.SMF is used
  • For more granular access to writing SMF records, BPX.SMF.type.subtype permits a user the authority to write or test only the SMF record of the specific type and subtype contained in the FACILITY class profile name.

    The BPX.SMF.type.subtype FACILITY class profile requires a clean program-controlled environment.
    The smf_record syscall verifies that the address space has not loaded any executables that are uncontrolled and any future loads or execs to files that reside in uncontrolled libraries are prevented. Note that type and subtype in the FACILITY class name do not ave leading zeros.

Some examples are as follows:

BPX.SMF.6.0
BPX.SMF.118.93
BPX.SMF.2.0

RACF commands to set up the permissions:

RDEFINE FACILITY BPX.SMF UACC(NONE)
PERMIT BPX.SMF CLASS(FACILITY) ID(user001) ACCESS(READ)
SETROPTS RACLIST(FACILITY) REFRESH

Sample ACF2 equivalent:

SET RES(FAC)
RECKEY BPX ADD(SMF UID(UID string for user001) SERVICE(READ) ALLOW)
F ACF2,REBUILD(FAC)

* NOTE: If access is allowed to BPX.SMF the caller(application that calls smf_record callable service BPX1SMF) does not need to be APF-authorized