Auditing doesn't need to be scary if you have the right tools.

We seem to be getting a lot of questions about i5/OS auditing functions lately. I'm guessing it's because several laws and regulations either require or strongly suggest that certain activity and file accesses be "logged." Logging in the i5/OS and "i" world is known as "auditing." So I thought I'd answer some of the questions we're receiving.

Many operating systems have a simple file where log information is kept. While the access to this file may be controlled, entries can generally be modified or deleted; therefore, some regulations--such as the Payment Card Industry's Data Security Standards--require that logs be protected from modification. This is not necessary with i5/OS.

Where Is the Log (or Audit) Information Kept?

i5/OS auditing is implemented via journals. The journal is not where the data is kept. Rather, the actual audit journal entries are kept in an object called a journal receiver. The IBM developers chose to implement i5/OS auditing using a journal and a journal receiver because you cannot modify or remove entries from a journal receiver. Thus, you can be assured of the integrity of the data journal data.

To manage the information in the log (that is, the QAUDJRN journal), you manage the journal receivers. You cannot clear a journal receiver. Rather, you save them and then delete them from the system. Even if you could clear a journal receiver (which you can't), you wouldn't want to. Why? Because you want to be able to retrieve the data should you require it for forensic or investigative purposes. You may need to modify your backup strategy to ensure you are saving all journal receivers associated with QAUDJRN and are doing so in a way that allows you to easily retrieve them from your long-term storage if the requirement arises.

How Do I Enable Auditing?

You turn on auditing by specifying either *OBJAUD or *AUDLVL in the QAUDCTL system value. This system value is the "On/Off" switch for auditing. If this value is *NONE, auditing is not active.

To turn on action auditing, such as the logging of authority failures, invalid sign-on attempts, deletion of objects, etc., modify the QAUDLVL system value. Some actions produce more audit journal entries than others. To determine the types of actions that cause an audit journal entry to occur, check out Chapter 9 of the Security Reference manual (available from the IBM Information Center.)

How Can I Get Information from the i5/OS Audit Journal?

A couple of methods exist for retrieving information from the audit journal.

You can run the DSPAUDJRNE command. The default is to look for the AF (authority failure) entries. The result is just a subset of the information from the AF audit journal entries. However, there is often enough information to determine what caused a particular entry to be generated.

If you want more of the information that's in the audit journal entry or if you see *N as the object name (indicating that the object is in the IFS), then you must dump the audit journal entries to an outfile and query the results.

To do that, create a duplicate of the model outfile for the audit journal entry type:

CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)

Here, xx is the audit journal entry type you're looking for. In the case of an authority failure, it would be AF.

Then, display the audit journal to an outfile:

DSPJRN JRN(QAUDJRN) FROMTIME('09/25/06') JRNCDE((T)) ENTTYP(xx) +

OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYxxJ5)     

Now you can display the file or run a query or SQL statement to see all fields in the audit journal. V5R4 provides a command, CPYAUDJRNE, that combines CRTDUPBOJ and DSPJRN into one command. The audit journal model outfiles are described in Appendix F of the Security Reference manual, available from the IBM Information Center.

How Can Policy Minder Help?

If you have initialized the system value category, SkyView Policy Minder brings in the current auditing system values settings and establishes those as your policy. If any of those values change, a Policy Minder compliance check of the system value category identifies the changes.

How Can Risk Assessor Help?

In the system value section of the main SkyView Risk Assessor report, the auditing system values are explained, and our recommended setting for each system value is provided.

Can Auditing Be Done Easily?

With the tools from SkyView, auditing is simple!

 

Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.

Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3^rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.

---

MC Press books written by Carol Woodbury available now on the MC Press Bookstore.

		IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
		Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale