Selective Auditing

Selective auditing is a mechanism to configure emitting audit events for only specific users, groups, resources, or transactions. This is currently only supported for the MLDAP ESM module.

When enabled, most audit events will cease to be emitted. Only if the affected entity/entities have the auditing attribute value set to TRUE will an event be emitted.

Note: Some system audit events, for example, startup and termination and some other miscellaneous events will always be emitted.

A new attribute is required to make use of the new selective auditing feature: - "microfocus-MFDS-Audit". This is an optional attribute for user, user group, and resource object classes. If there is already an existing LDAP repository with Micro Focus extensions installed. See Adding the auditing attribute to the LDAP schema for more information.

The following describes which entities are examined for requests. At this time, only Verify and Auth/XAuth requests are audited:

Affected entities - Verify

In Verify requests, the affected entities are the user and the signon group. The user is checked first, which means that the group might not need to be examined for the audit attribute value. This results in fewer MLDAP searches being required.

If All Groups mode is enabled, all groups that the user is a member of are checked for the auditing attribute value. This may result in performance degradation during user signon. If any group has the auditing property set, the Verify request will be audited.

Affected entities - Auth/XAuth

In Auth/XAuth requests, the affected entries are the user, the signon group or the user's group set (if All Groups mode is enabled), the resource being accessed, and the transaction. The users and groups auditing attribute value are not checked at this time; they are remembered from the Verify request in the ACEE. The resource is then checked, and if it does not have the auditing property set, the transaction is then checked.

Note: The transaction is only checked if the region uses the default transaction class TCICSTRN, and the calling subsystem has set the transaction name in the request.

Enabling/Disabling auditing in a running region

The esfupdate command line utility can be used to refresh ACEEs present in the system. Updating either users or groups will result in all related ACEEs updating their auditing status.

Note: esfupdate group updates cannot turn off auditing for a user, only turn it on. If a user no longer needs to be audited, ensure its auditing property is disabled, along with its signon group, and do a user update. This procedure only works for the user and signon group; the auditing flag cannot be reset for a given user while a region is running if All Groups mode is enabled and the user's auditing flag has been set by membership in an audited group.