After switching a filesystem from zFS to TFS there was a large increase in clear_setid loggings in the ACFRPTOM reports. Why is this happening?

zFS will only call for clear_setid when write or truncate is called on a file that has any of the three special bits set (S_ISUID, S_ISGID, S_ISVTX).

At this time, TFS will call clear_setid for every truncate regardless of whether any of the three special bits are set. IBM is aware of this issue, but has not provided a resolution.

ACF2 will only cut an SMF record for this call if FSSEC is specified in the GSO UNIXOPTS record. To disable these calls from cutting an SMF record, NOFSSEC needs to be specified.

If still wanting to keep the SMF records for auditing purposes, but exclude the loggings from the ACFRPTOM report, the ACFRPTOM report can be run with EXCLUDE(clear_setid).

Example:

//REPORT  EXEC PGM=ACFRPTOM         
//SYSPRINT DD SYSOUT=*              
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN    DD *                     
TITLE(ACFRPTOM)                     
DETAIL                              
EXCLUDE(clear_setid)                
/*