|
Admin Alert: Getting Started with i/OS Security Auditing, Part 2
Published: October 6, 2010
by Joe Hertvik
Last month, I discussed how to configure security auditing in an i/OS V5R4Mx environment. This issue, I'll look at the other side of the equation and discuss what you can do with your security auditing data once you have it. I'll look at some of the reporting facilities available on the system and how to take advantage of them.
Before Getting Started
If you're just getting started, you may want to review part 1 of this series to make sure your iSeries, System i, or Power i box is configured correctly for security auditing. The techniques I'm presenting here will not work without having your basic security auditing configuration in place.
Three Ways To Retrieve Information
For i/OS V5R4Mx users, there are three ways to look at your security auditing data.
- Use the Display Audit Journal Entry (DSPAUDJRNE) command.
- Use the Display Journal (DSPJRN) command.
- Use the Copy Audit Journal Entry command (CPYAUDJRNE) to extract the data into output files that can be queried.
All three commands have pros and cons. But before we look at the commands, let's first talk about what we're looking for.
The Raw Data
One of the differences in two of the audit retrieval commands are the journal entry types that are supported. To examine audit data, you will need to thin out all the auditing data that the operating system has gathered and only look at the specific journal entries that tell you what you need to know.
i/OS journal entries are defined by a one-digit journal code and a two-digit journal type. For journaling, IBM offers over hundreds of journal types under 16 different journal codes. You can find a list of all the different journal types in i/OS by looking at the Journal entries by code and type page in the i5/OS V5R4 Information Center. Fortunately, if you're auditing system security, you only need to examine the journal code T (Audit Trail Entries) journal entries. Here is a list of some of the more common journal code T entries you may want to audit for.
|
AF
|
All authority failures
|
|
CP
|
Create, change, restore user profiles
|
|
CV
|
Connection verification
|
|
DS
|
DST security officer password reset
|
|
IM
|
Intrusion monitor
|
|
JD
|
Changes to the USER parameter of a job description
|
|
NA
|
Changes to i/OS network
attributes
|
|
ND
|
Directory search violations
|
|
OR
|
Object restored
|
|
OW
|
Changes to object ownership
|
|
PA
|
Changes to programs that will now adopt the owner's
authority
|
|
PW
|
Passwords used that are not valid
|
|
RA
|
Restore of objects when authority changes
|
|
RJ
|
Restore of job descriptions that contain user profile
names
|
|
RO
|
Restore of objects where ownership information changes
|
|
RP
|
Restore of programs that adopt their owner's authority
|
|
RU
|
Restore of authority for user profiles
|
|
SD
|
A change was made to the System Directory
|
|
SV
|
Changes to system values
|
|
VA
|
Changes to access control lists
|
|
VC
|
Connections started or ended
|
|
VN
|
A logon or logoff operation on the network
|
|
YC
|
A change was made to DLO change access
|
|
ZC
|
A change was made to object change access
|
Again, for a complete list of all journal code and journal type entries, see IBM's list. Here's how the different Audit commands stack up when you want to extract information from code T entries in your audit journal.
DSPAUDJRNE
Display Audit Journal (DSPAUDJRNE) is an older i/OS and OS/400 command. Unfortunately, DSPAUDJRNE's age and IBM's operating system plans are working against it. First, IBM stopped producing enhancements to DSPAUDJRNE after V5R4Mx. Second, DSPAUDJRNE does not support all of the available security entries, as the other two options do. Finally, the command doesn't list all the fields for the entries that it does support. All of these facts point toward using the DSPAUDJRNE only in legacy situations. If you're just getting started with i/OS Security Auditing, you may be better off using the DSPJRN or CPYAUDJRNE commands listed below.
Using DSPAUDJRNE is easy. Simply type in DSPAUDJRNE on a command line and press F4 to prompt for its parameters. You'll see a screen that looks like the following.
DSPAUDJRNE's parameters are few but adequate. You can choose to audit for 1-30 different journal code T audit entries, you can specify which journal receiver to extract the entries from, and you can specify the date and time to pull the journal entries for. For output, DSPAUDJRNE only prints the designated entries to a spooled file or displays them to the user's screen, another drawback when compared against the other two commands. Overall, while DSPAUDJRNE does a fair job in extracting and processing auditing journal entries, it is definitely the lesser of the three commands.
DSPJRN
In contrast, DSPJRN, the Display Journal command, provides a lot more capabilities than DSPAUDJRNE. Perhaps because DSPJRN is geared toward retrieving records for any journal code, not just journal code T entries, and DSPJRN provides a number of different retrieval options. These options include:
- Retrieve journal entries for specific files and objects, including an omit feature for telling DSPJRN which objects should be omitted from the output.
- Name pattern matches for data to be returned.
- Designate a specific number of journal entries to be returned with the output.
- Specify which one-digit journal codes that DSPJRN should return entries for (A, B, T, etc.). As opposed to DSPAUDJRNE and CPYAUDJRNE, DSPJRN returns all the journal entries for a specific journal code. There is no option to only pull one or two journal entry types.
- Specify journal entries to be retrieved for a specific job name or program.
- Output the results to the display, a printer, or to an output file for use in another program.
Like DSPAUDJRNE, DSPJRN is easy to use. Simply type DSPJRN on the command line and press F4 to prompt for the selection program. On the following screen, enter the system audit journal name (QAUDJRN) in the Journal name parameter (JRN) and then fill in the selection parameters to use when extracting the data.
CPYAUDJRNE
The Copy Audit Journal command, CPYAUDJRNE, was first introduced in i/OS V5R4Mx. CPYAUDJRNE is a charged-up version of DSPAUDJRNE that provides some significant advantages over DSPAUDJRNE. Like DSPAUDJRNE, CPYAUDJRNE only processes journal code T journal entries and it allows you to extract entries from specific journal receivers and for specific date ranges. You can also select entries that were generated by a specific user profile.
Unlike DSPAUDJRNE, CPYAUDJRNE only outputs extracted data to an output file. It has no options for displaying data on the screen or to a spooled file. CPYAUDJRNE can also extract any or all of the journal code T entries, whereas DSPAUDJRNE can only extract the list of 30 entries that were present in earlier versions of i/OS and OS/400.
To run Copy Audit Journal, type in the CPYAUDJRNE command and press F4 to prompt for its parameters. You'll see a screen that looks something like this:
Fill in the parameters you want to use and press ENTER to create your extract file. Generally, CPYAUDJRNE does all the things that DSPAUDJRNE does, only better and to an output file. The biggest disappointment with CPYAUDJRNE is that it doesn't contain any of the broad selection parameters that are available in DSPJRN. Combining the two commands would have made for a really nice green-screen extraction tool. I guess IBM figures that if CPYAUDJRNE gives you the extraction, your analysis program can handle selection the records that you want to see.
You Extract What You Ask For
While not perfect, these tools can help you better understand some of the security issues on your partition. Give them a try and see if they can help you better understand what's going on with your system.
RELATED STORY
Getting Started with i/OS Security Auditing, Part 1
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
|
Paperless Saves: NEW iScan and iDocs
Nothing against paper and preprinted forms, but they can really suck an organization's money down the drain.
You can deliver vital reports, checks, forms and scanned documents FASTER and save significant time and money with inFORM's paperless and web-based document management solutions.
The affordable iScan and iDocs Suite eliminates the cost of paper from AP, customer service, sales and more for fast ROI. Create and immediately distribute critical business documents, without the expense. In no time you can:
· Simplify batch scanning & indexing of contracts, POs, invoices, etc
· Generate electronic forms, checks, reports, PDFs and more
directly from System i spool files
· Intelligently burst, format, sort, bundle and distribute
via email, fax, printer and/or web repository
· Provide immediate and secure browser-based access to
e-documents from anywhere in the world, 24x7
Go paperless today - affordably - with iDocs and iScan.
Click here to see the iScan VIDEO DEMO & download free iDocs white papers!
Paperless solutions by inFORM Decisions include iDocs, iForm, iPDF, iMail, iFax, SmartRouter, iCheck, CheckSecure, Positive Pay, iScan and the iView web-based document storage and retrieval system.
|
Senior Technical Editor: Ted Holt
Technical Editor: Joe Hertvik
Contributing Technical Editors: Erwin Earley, Brian Kelly, Michael Sansoterra
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
|
IT Jungle Store Top Book Picks
Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
The iSeries Express Web Implementer's Guide: List Price, $49.95
The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
The System i Pocket RPG & RPG IV Guide: List Price, $69.95
The iSeries Pocket Database Guide: List Price, $59.00
The iSeries Pocket SQL Guide: List Price, $59.00
The iSeries Pocket Query Guide: List Price, $49.00
The iSeries Pocket WebFacing Primer: List Price, $39.00
Migrating to WebSphere Express for iSeries: List Price, $49.00
Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
Getting Started with WebSphere Express for iSeries: List Price, $49.00
Can the AS/400 Survive IBM?: List Price, $49.00
Chip Wars: List Price, $29.95
|
September 25, 2010: Volume 12, Number 39
September 18, 2010: Volume 12, Number 38
September 11, 2010: Volume 12, Number 37
September 4, 2010: Volume 12, Number 36
August 28, 2010: Volume 12, Number 35
August 21, 2010: Volume 12, Number 34
|
|
|
|
|
