Q: I have started auditing on my AS/400 and I have a large volume of data collected in the audit journal receiver. Are there IBM programs available to generate reports and manage the audit journal?
A: Reporting and journal management have been left to the individual installation. I am unaware of any plans by IBM to add additional audit journal management or report generation tools. You can get some reporting support by creating the Display Audit Log (DSPAUDLOG) tool from the QUSRTOOL library. This tool merges the data from the audit journal with messages to make the journal entries understandable. You can see an example of the listing produced by the DSPAUDLOG command in 1.
A: Reporting and journal management have been left to the individual installation. I am unaware of any plans by IBM to add additional audit journal management or report generation tools. You can get some reporting support by creating the Display Audit Log (DSPAUDLOG) tool from the QUSRTOOL library. This tool merges the data from the audit journal with messages to make the journal entries understandable. You can see an example of the listing produced by the DSPAUDLOG command in Figure 1.
The prompt for the DSPAUDLOG command allows you to specify either a file name or *CURRENT. DSPAUDLOG will extract the data from the journal receiver when you use *CURRENT. When you specify a file name, you must use the Display Journal (DSPJRN) command to store the data in the file. Use keywords like STRDATE and ENDDATE to select data for specific dates or ENTTYP to select entries by their two-character journal entry codes. IBM describes the journal entry codes in the Security Reference Manual (SC41-3302). For more information about the DSPAUDLOG command, see From the Toolbox, elsewhere in this issue.
Q:When I use the audit journal, almost half of the entries are for objects in the QTEMP library. How can I eliminate these entries?
A: Currently, you can't. I have requested that IBM give users an option that would eliminate recording of the QTEMP library auditing data. Until that option is available, the audit journal will contain data from the QTEMP library.
I have found a useful technique to eliminate the unwanted QTEMP data from the reports. I create a logical file that eliminates them.
1. Create a database file to hold the data from the journal receiver. I use the
CRTDUPOBJ OBJ(QASYAFJE) + OBJTYPE(*FILE) + FROMLIB(QSYS) TOLIB(your-lib)
2. Using the DDS shown in 2, create a logical file that eliminates the QTEMP library entries-the library name must be specified in the PFILE keyword to avoid selecting the IBM file in library QSYS.
2. Using the DDS shown in Figure 2, create a logical file that eliminates the QTEMP library entries-the library name must be specified in the PFILE keyword to avoid selecting the IBM file in library QSYS.
3. Using the Display Journal (DSPJRN) command, copy data from the journal receiver into the database file created in step 1. The OUTFILFMT should always be *TYPE2 to match the file definition. You can select the data range using the FROMTIME and TOTIME keywords and the specific entry types using the ENTTYP keyword.
DSPJRN JRN(QAUDJRN) JRNCDE(T) + OUTPUT(*OUTFILE) + OUTFILE(your-lib/QASYAFJE) + OUTFILFMT(*TYPE2) + FROMTIME(date time) + TOTIME(date time) + ENTTYP(up to ten entry types)
4. Print the report using the DSPAUDLOG command from QUSRTOOL. By specifying the name of the logical file AUJ003L1, created in step 2, you eliminate the QTEMP library entries.
DSPAUDLOG OPTION(AUJ003L1) + OUTPUT(*PRINT)
Audit information can be lost when not reporting on the QTEMP library entries, because objects can be moved from QTEMP into production libraries.
This method of using a logical file to select specific entries can be used in other instances. The AF entry type includes several conditions. On occasion, I have wanted to produce reports for one of the violation types, such as domain failures. The system includes domain failure conditions with many other authority failure conditions. The DSPJRN and DSPAUDLOG commands do not support selection by the violation type field (position 156 of the record). However, you can use a logical file to select the domain failure entries. See the DDS to select the domain failures in 3.
This method of using a logical file to select specific entries can be used in other instances. The AF entry type includes several conditions. On occasion, I have wanted to produce reports for one of the violation types, such as domain failures. The system includes domain failure conditions with many other authority failure conditions. The DSPJRN and DSPAUDLOG commands do not support selection by the violation type field (position 156 of the record). However, you can use a logical file to select the domain failure entries. See the DDS to select the domain failures in Figure 3.
Q:Our auditors are concerned about the use of DFU to alter production files. We cannot prevent access to DFU because it is used to correct data files. Is there a way to audit the use of DFU from our menus?
A: You could audit the DFU command to determine who is using DFU, but that would not allow you to determine which files are referenced. I suspect that the auditors want to know which files or records are changed.
You can audit the use of DFU with the program DFA001CL, shown in 4. The program displays a screen (source shown in 5) that prompts the user to enter the name of the file to be modified using DFU. The program then records the records that are charged in the DFU journal. You must create the journal and journal receiver prior to using the program.
You can audit the use of DFU with the program DFA001CL, shown in Figure 4. The program displays a screen (source shown in Figure 5) that prompts the user to enter the name of the file to be modified using DFU. The program then records the records that are charged in the DFU journal. You must create the journal and journal receiver prior to using the program.
The Start Journal Physical File (STRJRNPF) and End Journal Physical File (ENDJRNPF) commands are the essential lines in the CL program. They allow you to track changes made to the file during the DFU session. However, anyone who changes the file in any way while the journal is on will be recorded. You can select only certain users when reviewing the journal.
You can ensure that users do not bypass auditing by removing *PUBLIC access from the STRDFU command. Grant *USE access to the STRDFU command to a profile like DFU_AUDIT. The program DFA001CL will need to adopt its owner's user profile DFU_AUDIT that has access to the STRDFU command.
Security Patrol: Security Questions & Answers
Figure 1 Sample DSPAUDLOG Output
UNABLE TO REPRODUCE GRAPHICS
Security Patrol: Security Questions & Answers
Figure 2 DDS to Hide Audit Records for QTEMP
*=======================================================* * To compile: * * CRTLF FILE(XXX/AUJ003L1) SRCFILE(XXX/QDDSSRC) * * * *=======================================================* *. 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7 A R QASYAFJE PFILE(YOURLIB/QASYAFJE) A K AFOLIB A S AFOLIB CMP(NE 'QTEMP')
Security Patrol: Security Questions & Answers
Figure 3 DDS to Select Audit Records for Domain Failures
*=======================================================* * To compile: * * CRTLF FILE(XXX/AUJ004L1) SRCFILE(XXX/QDDSSRC) * * * *=======================================================* *. 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7 A R QASYAFJE PFILE(YOURLIB/QASYAFJE) A K AFVIOL A S AFVIOL CMP(EQ 'D')
Security Patrol: Security Questions & Answers
Figure 4 DFA001CL CL Source
/*===================================================================*/ /* To compile: */ /* CRTCLPGM PGM(XXX/DFA001CL) SRCFILE(XXX/QCLSRC) */ /* */ /*===================================================================*/ DFA001CL: + PGM DCLF FILE(DFA001D1) DCL VAR(&TEXT) TYPE(*CHAR) LEN(80) SNDRCVF CHKOBJ OBJ(&LIB/&FILE) OBJTYPE(*FILE) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(EXIT)) CHGVAR VAR(&TEXT) VALUE('DFU started for file ' + *CAT &LIB *TCAT '/' *CAT &FILE) SNDJRNE JRN(QAUDJRN) ENTDTA(&TEXT) STRJRNPF FILE(&LIB/&FILE) JRN(DFU) IMAGES(*BOTH) STRDFU OPTION(5) FILE(&LIB/&FILE) ENDJRNPF FILE(&LIB/&FILE) JRN(DFU) EXIT: ENDPGM
Security Patrol: Security Questions & Answers
Figure 5 DFA001DF DDS Source
*=============================================================== * To compile: * * CRTDSPF FILE(XXX/DFA001DF) SRCFILE(XXX/QDDSSRC) * *=============================================================== *. 1 ...+... 2 ...+... 3 ...+... 4 ...+... 5 ...+... 6 ...+... 7 A DSPSIZ(24 80 *DS3) A CA03 A R PROMPT A 2 26'Start DFU for Application File' A DSPATR(HI) A 6 3'Enter file name . . . . . . ' A FILE 10 I 6 32 A 7 5'Library . . . . . . . . .' A LIB 10 I 7 34 A 23 2'F3=Exit' A COLOR(BLU)
LATEST COMMENTS
MC Press Online