IBM Systems & Technology Group Technical Conference 14 18 April, 2008, Sevilla, Spain Session Title: i5/os Security Auditing Setup and Best Practices Session ID: ios06 Thomas Barlen Consulting IT Specialist IBM STG Lab Services
Notices This information was developed for products and services offered in the U.S.A. Note to U.S. Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive Armonk, NY 10504 1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non IBM products. Questions on the capabilities of non IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: 2This information contains sample application programs in source language, which illustrates programming techniques on various operating platforms. You may copy, modify,
Trademarks The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both: IBM eserver Redbooks (logo) AS/400 IBM i5/os OS/400 IBM Redbooks iseries System i System i5 The following terms are trademarks of other companies: Intel, Intel Inside (logos), MMX, and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. SET, SET Secure Electronic Transaction, and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC. 3 Other company, product, and service names may be trademarks or service marks of others.
Acknowledgements This presentation was developed by Thomas Barlen, IBM Europe STG Lab Services. Thomas is based in Germany, but works world wide on mostly System i related security projects and presents at technical conferences. 4
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 5
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 6
Security goals Organizations, products, and processes have to meet certain security goals Authentication Authorization / Access Control Integrity Confidentiality Audit / Logging 7
Requirements Many different government regulations and industry specific requirements exist that dictate compliance of regulations with IT processes and assets Examples: Sarbanes Oxley act (a.k.a. SOX) is an US law to establish trust in public companies and protect investors Recommends compliance with COBIT (Control Objectives of Information and Related Technology) COBIT is not part of SOX Some requirements of the SOX Public Company Accounting Oversight Board (PCAOB) are: Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties Controls over the period end financial reporting process Controls over safeguarding of assets 8
Requirements (2) SOX. Internal controls Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. Moreover, under Section 404 of the Act, management is required to produce an internal control report as part of each annual Exchange Act report. See 15 U.S.C. 7262. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. IT controls, IT audit, and SOX The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting." 9
Requirements (3) Other laws and regulations Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry (PCI) Digital Security Standard Excerpt: Protect Cardholder Data Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Regularly Monitor and Track and monitor all access to network Test Networks resources and cardholder data Regularly test security systems and processes 10
Reasons to use auditing and logging Laws and industry regulations require auditing Internal or external auditors require it You want to know what privileged users do on your system (i.e. command auditing) Keep track of object usage (i.e. how frequently an object has been accessed) Log actions, tasks, and access attempts of external partners and consultants Your corporate security policies demand auditing and logging Job accounting 11
i5/os audit capabilities overview The i5/os system audit journal logs system events Logged events cannot be changed in the journal Different event categories exist Log entry details vary by category User applications can also log entries into the system audit journal For system generated entries, Appendix F Layout of Audit Journal Entries of the IBM Systems iseries Security Reference, contains information about how to interpret the journal entries Authority change User action Object access 12 Audit Journal User appl event
i5/os system audit journal event categories (1) Security category *SECCFG *SECDIRSRV *SECIPC *SECURITY *SECNAS Network Authentication Service (Kerberos) events *SECRUN Security run time events, such as changes to object ownership, authorization list, primary group of an object Socket descriptor events, such as a socket descriptor was given to another job and receive descriptor Verification functions, i.e. a target user profil pass through session, a profile handle was generated *SECSCKD *SECVFY *SECVLDL 13 User profile operations, Change program that adopt authority, change of system values, QSECOFR pwd reset, etc. Directory services events, such as audit change, successful bind, authority and pwd change, ownership change, etc. Interprocess Communications changes, such as authority, create, delete, or get of an IPC object Changes to validation list objects are audited
i5/os system audit journal event categories (2) More security related categories *ATNEVT *AUTFAIL 14 The Attention Event value must be specified when Intrusion Detection Services is configured and IDS events should be logged to the audit journal Authorization failure events, such as all access failures (sign on, authorization, job submission), incorrect password or user ID entered from a device *PGMADP Adopting authority from a program owner is audited *PGMFAIL Program failures are audited, i.e. a blocked instruction, validation value failure, domain violation
i5/os system audit journal event categories (3) Networking categories *NETBAS *NETCLU *NETCMN 15 Network base function events. For example, IP rules actions, sockets connections, APPN Directory search filter Cluster or cluster resource group operations are audited, such as switch, failover, start, end, update attributes, etc. *NETFAIL Network failures are audited, i.e. socket port not available *NETSCK Auditing of socket tasks, such as accept, connect, DHCP address assigned
i5/os system audit journal event categories (4) Object management categories 16 *OBJMGT Generic object tasks are audited, such as moving and renaming objects *CREATE Audit records are written when objects are newly created or replaced *DELETE Audit records are written when objects are deleted
i5/os system audit journal event categories (5) Miscellaneous categories *JOBDTA *OPTICAL *PRTDTA *SAVRST *SERVICE *SPLFDTA *SYSMGT 17 Job start and stop data are audited as well as when a job gets held, released, stopped, continued, changed, and disconnected All optical functions are audited, such as adding or removing optical cartridges, changing the authorization list used to secure an optical volume, etc. Printing functions are audited. For example, printing a spooled file, printing with parameter SPOOL(*NO) Auditing of save and restore operations including events when a system state program is restored, when job descriptions that contain user names are restored A list of service commands and API calls are audited Spooled file functions are audited, such as creating, deleting, displaying, copying, holding, and releasing a spool file. System management tasks, such as hierarchical file system registration, and changes for Operational Assistant functions or system reply lists are audited
How about the performance impact? It depends! There is no general information that tells exactly what the performance impact is when turning on the system audit journal The performance impact depends on: The number and type of events you want to journal system wide events or just on an object level or only for actions of a certain user The number of journal receivers you want to keep on the system > disk storage The system value QAUDFRCLVL specifies the number of entries in the journal before the system forces the data to be written to disk default is set to *SYS > the system decides based on system load when to store the information to disk Performance QAUDFRCLVL 1 2 3 4 5 6 48 97 98 99 100 Security 18
When an error occurs with the audit journal What happens in the case of the unlikely event of an error with the QAUDJRN? Should new entries just be skipped? The action to be taken is defined in the i5/os system value QAUDENDACN Log audit entry error send notification to QSYSOPR/QSYSMSG Action that caused the audit event continues *NOTIFY Set QAUDCTL to *NONE and send notification every hour 19 If sending an audit entry fails, the system ends with *PWRDWNSYS SRC B900 3D10 QAUDENDACN value? After IPL, system comes up in restricted state QAUDCTL is set to *NONE At first IPL, user with *AUDIT or *ALLOBJ must sign on
Valuable information resource The most valuable resource for setting up and analyzing the system audit journal is the System i Security Reference, SC41 5302 found in the iseries Information Center at http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp under Security >iseries Security Reference 20
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 21
i5/os audit journal implementation overview Initial setup steps 1 Audit Journal Journal Receiver JRNLIB/AUDRCV 2 Audit Journal Journal QSYS/QAUDJRN *1 = V5R4 22 3 System Value QAUDCTL *AUDLVL *NOQTEMP *OBJAUD 6 Analyze Audit Journal DSPJRN CPYAUDJRNE 4 System Value QAUDLVL QAUDLVL2 *SECCFG *AUTFAIL *DELETE 5 5 i5/os Object 1 OBJAUD(*NONE) i5/os Object 2 OBJAUD(*ALL) i5/os User Profile OBJAUD(*CHANGE) AUDLVL(*CMD *CREATE) i5/os Object 3 OBJAUD(*USRPRF)
Journal receiver considerations Some considerations need to be taken into account when deciding for the storage location of the journal receiver You should be able to access and work with the journal even if the system ASP on the journaled system has been destroyed There are basically two alternatives SYSA 1 SYSA System ASP QAUDJRN User ASP Jrn Receiver 23 2 SYSB System ASP QAUDJRN System ASP LIB: AUDSYSA LIB: AUDSYSA Rem ote QAUDJRN QAUDJRN jour nall ing
Creating the journal receiver As with any other journal, the journal receiver has to be created before the journal itself Always use a dedicated library for the journal receiver CRTJRNRCV JRNRCV(AUDLIB/AUDJRN0001) TEXT('System audit journal receiver') AUT(*EXCLUDE) Always remember to limit public access as much as possible 24
Creating the journal The system audit journal has a fixed name > QAUDJRN It has to be created in library QSYS Specify the journal receiver that you created in the previous step CRTJRN JRN(QSYS/QAUDJRN) JRNRCV(AUDLIB/AUDJRN0001) TEXT('System audit journal') AUT(*USE) 25
QAUDCTL The master switch The system value QAUDCTL is the master switch to turn on system auditing The valid values are: 26 Value Description *NONE Turns off auditing on the system, this value cannot be specified with any other value *AUDLVL Turn on system wide auditing. The level of auditing is specified in the QAUDLVL and QAUDLVL2 system values *OBJAUD Turns on object auditing. Audit records are only written for objects that have the object auditing value set and the corresponding action took place *NOQTEMP Most actions on objects in QTEMP are not logged. This value is only allowed in combination with *AUDLVL and/or *OBJAUD *NOTAVL Means Not Available and is a Read Only value that is displayed when the user who works with the QAUDCTL system value does not have *AUDIT or *ALLOBJ special authority
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 27
System wide auditing overview System wide auditing events are configured through the QAUDLVL and QAUDLVL2 system values System value QAUDCTL must be set to *AUDLVL There is no threshold for the number of entries that will be written to the QAUDJRN for a specific event For every occurrence of an event, another entry will be written to the journal 28
Selecting auditing events You can specify the event types via 5250 command line or through iseries Navigator (Security >Policies >Auditing Policy) Display System Value System value.. : QAUDLVL Description.. : Security auditing level Auditing Auditing options options *CREATE *SECDIRSRV *DELETE *SECNAS *AUTFAIL *SECRUN *NETBAS *SECVLDL *NETFAIL *NETSCK *JOBDTA *PGMADP *PGMFAIL *SECCFG *SAVRST 29
Using both QAUDLVL and QAUDLVL2 When more than 16 auditing values need to be specified for QAUDLVL, you need to use the QAUDLVL2 system value as well Display System Value System value.. : QAUDLVL Description.. : Security auditing level Auditing Auditing options options *CREATE *SECDIRSRV *DELETE *SECNAS *AUTFAIL *SECRUN *NETBAS *SECVLDL *NETFAIL *AUDLVL2 *NETSCK *JOBDTA *PGMADP *PGMFAIL *SECCFG *SAVRST 30 Display System Value System value.. : QAUDLVL2 Description.. : Security auditing level Auditing Auditing options options *SERVICE *SECVFY
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 31
Object auditing overview Object auditing actions are defined on a per object basis Object auditing values for new objects can be set via library or system value settings Whether an audit entry is written to the journal can also be delegated to the individual user profile *USRPRF is a good default value SysValue QCRTOBJAUD Library CRTOBJAUD Object Created by OBJAUD Thomas Barlen IBM Germany 32 Value Description *NONE No audit entry will be written *CHANGE All change accesses to this object by all users are logged *ALL All change or read accesses to this object by all users are logged *USRPRF The user profile of the user accessing this object is used to determine if an audit record is be sent for this access
Enabling object auditing for a QSYS.LIB object Object auditing values need to be defined for every object The object auditing parameter is not part of a Create command For objects in the QSYS.LIB file system, the following command must be used to define object auditing CHGOBJAUD OBJ(PRODLIB1/ORDER) OBJTYPE(*FILE) OBJAUD(*CHANGE) Originally created by Thomas Barlen IBM Germany 33
Enabling object auditing for an i5/os IFS object Similar to enabling object auditing for QSYS.LIB objects there is also a command for turning on object auditing for objects in the Integrated File System (IFS) CHGAUD OBJ('/barlen/app.properties') OBJAUD(*ALL) Originally created by Thomas Barlen IBM Germany 34
Example of using *CHANGE for object auditing Command CHGOBJAUD OBJ(BARLEN/USRLIST) OBJTYPE(*FILE) OBJAUD(*CHANGE) Originally created by Thomas Barlen IBM Germany Object 35 Display Object Description Full Library 1 of 1 Object....... : USRLIST Attribute..... : PF Library..... : BARLEN Owner....... : BARLEN Library ASP device. : *SYSBAS Library ASP group. : *SYSBAS Type........ : *FILE Primary group... : *NONE Change/Usage information: Change date/time.......... : 03/12/07 16:57:12 Usage data collected........ : YES Last used date........... : Days used count.......... : 0 Reset date............ : Originally created by Thomas Barlen IBM Germany Allow change by program...... : NO Auditing/Integrity information: Object auditing value....... : *CHANGE Digitally signed.......... : NO
Example of using *USRPRF for object auditing Command CHGAUD OBJ('/barlen/hodsplit') OBJAUD(*USRPRF) Originally created by Thomas Barlen IBM Germany Object 36 Display Attributes Object...... : /barlen/hodsplit Creation date/time.......... : 03/11/07 10:51:29 Last access date/time........ : 03/12/07 09:09:07 Data change date/time........ : 03/12/07 08:54:37 Attribute change date/time...... : 03/12/07 17:01:15 Size of object data in bytes..... : 45056 Allocated size of object....... : 45056 Directory format........... : *TYPE2 Size of extended attributes..... : 0 Originally created by Thomas Barlen IBM Germany Storage freed............ : No Auditing value............ : *USRPRF Object domain............ : *SYSTEM
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 37
User auditing overview User auditing can be defined for: object events when *USRPRF is specified in the object description in the OBJAUD parameter actions that are performed by a specific user profile Object auditing *NONE *CHANGE *ALL 38 Action auditing *NONE *CMD *CREATE *DELETE *JOBDTA *OBJMGT *OFCSRV *OPTICAL *PGMADP *SAVRST *SECURITY *SERVICE *SPLFDTA *SYSMGT
Enabling per user auditing User auditing cannot be defined with the CRTUSRPRF or CHGUSRPRF command The CHGUSRAUD command has to be used to define user auditing CHGUSRAUD USRPRF(BARLEN) OBJAUD(*CHANGE) AUDLVL(*SECURITY *SAVRST *SERVICE) Originally created by Thomas Barlen IBM Germany 39
Example of turning on user auditing Command CHGUSRAUD USRPRF(BARLEN THOMAS ISV1) OBJAUD(*CHANGE) AUDLVL(*CMD *SECURITY *SAVRST *SERVICE) Originally created by Thomas Barlen IBM Germany Always recommended for privileged users Display User Profile Basic UsrPrf 40 User profile............... : BARLEN Object auditing value.......... : *CHANGE Action auditing values.......... : *CMD *SAVRST *SECURITY Originally created by Thomas Barlen IBM Germany *SERVICE User ID number.............. : 1000 Group ID number............. : 114
Agenda Introduction to audit and logging Setting up system auditing in i5/os System wide auditing Object auditing User auditing Audit journal analysis 41
i5/os audit journal analysis overview The audit journal can serve two purposes log events and in case of a problem start analysis log events and analyze journal on a regular basis (preventive) Let s explore the analysis based on the manual process Task overview Select journal entries 42 Format journal entries Interpret journal entries Act on results
Selecting audit journal entries Selecting and displaying journal entries is done through the DSPJRN command Need to specify the entry type and journal name, other parameters are optional Display Journal (DSPJRN) Type choices, press Enter. Journal............ > QAUDJRN Name, *INTSYSJRN Library........... *LIBL Name, *LIBL, *CURLIB Journaled physical file: File............. Name, *ALLFILE, *ALL Library.......... *LIBL Name, *LIBL, *CURLIB Member............ *FIRST Name, *FIRST, *ALL, *NONE Number of journal entries... *ALL Number, *ALL Journal codes: Journal code value...... *ALL *ALL, *CTL, A, B, C, D, E. Journal code selection.... *ALLSLT, *IGNFILSLT... + for more values Journal entry types...... > AF Character value, *ALL, *RCD + for more values 43
Formatting entries via model outfiles Depending on the event type, the system generates audit journal entries of different entry types Each entry contains a common set of base information and entry type specific information Displaying the raw journal entry does not provide very meaningful information Display Journal Entry Object....... : Library...... : Member....... : Incomplete data.. : No Minimized entry data : *NONE Sequence...... : 380607 Code........ : T Audit trail entry Type........ : AF Authority failure Entry specific data Column *...+...1...+...2...+...3...+...4...+...5 00001 'ASOFTWARE QSYS *LIB QPADEV0005BARLEN2 ' 00051 '001015 BARLEN2 0000' 00101 '000 ' 00151 ' ' 00201 ' ' 00251 ' ' 00301 ' ' 44
Formatting entries via model outfiles (2) Model outfiles exist for every entry type The model outfiles are stored in QSYS > need to be copied into a work library Work with Objects Using PDM I5OSP4 Library..... QSYS Position to........ Position to type..... Type options, press Enter. 2=Change 3=Copy 4=Delete 5=Display 7=Rename 8=Display description 9=Save 10=Restore 11=Move... Opt Object Type Attribute Text QASYADJE *FILE PF DTA Outfile for journal entry type AD QASYADJ4 *FILE PF DTA Outfile for journal entry type AD QASYADJ5 *FILE PF DTA Outfile for journal entry type AD QASYAFJE *FILE PF DTA Outfile for journal entry type AF QASYAFJ4 *FILE PF DTA Outfile for journal entry type AF QASYAFJ5 *FILE PF DTA Outfile for journal entry type AF QASYAPJE *FILE PF DTA Outfile for journal entry type AP QASYAPJ4 *FILE PF DTA Outfile for journal entry type AP More... Entry type Outfile format Parameters or command ===> 45
Formatting entries via model outfiles (3) Journal entries can be dumped into the corresponding model outfile The entries in the outfile are formatted and can be easily processed by Query CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP) NEWOBJ(AF) DATA(*YES) DSPJRN JRN(QAUDJRN) FROMTIME(031407 090000) ENTTYP(AF) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)OUTFILE(QTEMP/AF) Display Report Position to line..... Line...+...1...+...2...+...3...+...4...+...5...+... Type Job User Job User Object Library Obj name name number profile name name type 000001 AF QPADEV0005 BARLEN2 1,015 BARLEN2 SOFTWARE QSYS *LIB 000002 AF QPADEV0005 BARLEN2 1,015 BARLEN2 *N *N *DIR 000003 AF ADMIN QTMHHTTP 1,047 QTMHHTTP *N *N *DIR 000004 AF ADMIN QTMHHTTP 1,052 QTMHHTTP *N *N *DIR 000005 AF ADMIN QTMHHTTP 1,052 QTMHHTTP *N *N *DIR 000006 AF ADMIN QTMHHTTP 1,052 QTMHHTTP *N *N *DIR ****** ******** End of report ******** 46
Selecting audit journal entries (V5R4 and higher) Option from V5R3 still available Starting from V5R4, a new command provides simplified selection and formatting options > CPYAUDJRNE Copy Audit Journal Entries (CPYAUDJRNE) Type choices, press Enter. Journal entry types...... AF *ALL, AD, AF, AP, AU, CA... + for more values Output file prefix....... QAUDIT Name Creates a file with the extension Library........... QTEMP Name, *CURLIB Output member options: of the entry type Member to receive output... *FIRST Name, *FIRST i.e. for AF, the file is QAUDITAF Replace or add records.... *REPLACE *REPLACE, *ADD User profile.......... *ALL Name, *ALL Journal receiver searched: Starting journal receiver.. *CURRENT Name, *CURRENT, *CURCHAIN Library.......... Name, *LIBL, *CURLIB Ending journal receiver... Name, *CURRENT Library.......... Name, *LIBL, *CURLIB Starting date and time: Starting date........ > 031407 Date, *FIRST Starting time........ > 090000 Time Combines Selection and Formatting 47
Example 1 of interpreting a journal entry e Example of an AF entry Display Report Shi.+...71...+...72...+...73...+...74...+ Violation Object Library Object type name name type A SOFTWARE QSYS *LIB A *N *N *DIR A *N *N *DIR A *N *N *DIR A *N *N *DIR A *N *N *DIR A QSRV QUSRSYS *MSGQ 48
Example 2 of interpreting a journal entry e Example of a system value change Display Report Position to line..... Line...+...1...+...2...+...3...+...4...+...5...+...6 Type Job User Job User Entry System New name name number profile type value value 00001 SV QPADEV0003 BARLEN 1,013 BARLEN A QCRTAUT *ALL 00002 SV QPADEV0003 BARLEN 1,013 BARLEN A QCRTAUT *EXCLUDE ****** ******** End of report ******** 49
Example 3 Command auditing Example of command auditing turned on for a specific user Display Report n to line........+...1...+...2...+...3...+...4...+...5 Type Job User Job User CL Command name name number profile PGM string CD QZRCSRVS QUSER 962 BARLEN N QSYS/CPYPTFGRP PTFGRP(SF99311) CD QZRCSRVS QUSER 964 BARLEN N QSYS/CPYPTFGRP PTFGRP(SF99323) CD QZRCSRVS QUSER 966 BARLEN N QSYS/CRTSAVF FILE(QGPL/QSF99315G) CD QZRCSRVS QUSER 964 BARLEN N QSYS/DLTF FILE(QGPL/QSF99323G) CD QZRCSRVS QUSER 962 BARLEN N QSYS/DLTF FILE(QGPL/QSF99311G) CD DSP01 BARLEN 1,012 BARLEN N MKDIR DIR('/download') CD DSP01 BARLEN 1,012 BARLEN N MKDIR DIR('/download/group140307') CD DSP01 BARLEN 1,012 BARLEN N CD DIR('/download/group140307') 50
Automating parts of the audit journal analysis Write a CL program that automates manual tasks and run the program through the job scheduler CPYAUDJRNE RUNQRY ADDJOBSCDE JOB(ANALYZESV) CMD(CALL PGM(AUDLIB/AUDITAF)) FRQ(*WEEKLY) SCDDY(*ALL) SCDTIME(233000) Review reports 51
Products that can help you working with the journal Do you have to do all these tasks by yourself? Not necessarily Some audit journal management and analysis tasks can be done by readily available software products in the market The following list shows some of the vendors who are registered at the IBM System i Tools Innovation site that offer these kinds of functions There are more vendors out there.you need to search the Web 52
Summary You should now know: the purpose of the i5/os system audit journal the various event categories how to set up the audit journal environment how to set up system wide auditing how to set up object auditing how to set up user auditing how to analyze the audit journal 53
Additional information System i Security Reference, SC41 5302 found in the iseries Information Center at http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp under Security >iseries Security Reference IBM System i Tools Innovation site with security vendors http://www 304.ibm.com/jct09002c/partnerworld/wps/pub/systems/i/technical/iii/ en#secureyour 54