• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Admin Alert: Getting Started with i/OS Security Auditing, Part 2

    October 6, 2010 Joe Hertvik

    Last month, I discussed how to configure security auditing in an i/OS V5R4Mx environment. This issue, I’ll look at the other side of the equation and discuss what you can do with your security auditing data once you have it. I’ll look at some of the reporting facilities available on the system and how to take advantage of them.

    Before Getting Started

    If you’re just getting started, you may want to review part 1 of this series to make sure your iSeries, System i, or Power i box is configured correctly for security auditing. The techniques I’m presenting here will not work without having your basic security auditing configuration in place.

    Three Ways To Retrieve Information

    For i/OS V5R4Mx users, there are three ways to look at your security auditing data.

    1. Use the Display Audit Journal Entry (DSPAUDJRNE) command.
    2. Use the Display Journal (DSPJRN) command.
    3. Use the Copy Audit Journal Entry command (CPYAUDJRNE) to extract the data into output files that can be queried.

    All three commands have pros and cons. But before we look at the commands, let’s first talk about what we’re looking for.

    The Raw Data

    One of the differences in two of the audit retrieval commands are the journal entry types that are supported. To examine audit data, you will need to thin out all the auditing data that the operating system has gathered and only look at the specific journal entries that tell you what you need to know.

    i/OS journal entries are defined by a one-digit journal code and a two-digit journal type. For journaling, IBM offers over hundreds of journal types under 16 different journal codes. You can find a list of all the different journal types in i/OS by looking at the Journal entries by code and type page in the i5/OS V5R4 Information Center. Fortunately, if you’re auditing system security, you only need to examine the journal code T (Audit Trail Entries) journal entries. Here is a list of some of the more common journal code T entries you may want to audit for.

    AF

    All authority failures

    CP

    Create, change, restore user profiles

    CV

    Connection verification

    DS

    DST security officer password reset

    IM

    Intrusion monitor

    JD

    Changes to the USER parameter of a job description

    NA

    Changes to i/OS network
    attributes

    ND

    Directory search violations

    OR

    Object restored

    OW

    Changes to object ownership

    PA

    Changes to programs that will now adopt the owner’s
    authority

    PW

    Passwords used that are not valid

    RA

    Restore of objects when authority changes

    RJ

    Restore of job descriptions that contain user profile
    names

    RO

    Restore of objects where ownership information changes

    RP

    Restore of programs that adopt their owner’s authority

    RU

    Restore of authority for user profiles

    SD

    A change was made to the System Directory

    SV

    Changes to system values

    VA

    Changes to access control lists

    VC

    Connections started or ended

    VN

    A logon or logoff operation on the network

    YC

    A change was made to DLO change access

    ZC

    A change was made to object change access

    Again, for a complete list of all journal code and journal type entries, see IBM’s list. Here’s how the different Audit commands stack up when you want to extract information from code T entries in your audit journal.

    DSPAUDJRNE

    Display Audit Journal (DSPAUDJRNE) is an older i/OS and OS/400 command. Unfortunately, DSPAUDJRNE’s age and IBM’s operating system plans are working against it. First, IBM stopped producing enhancements to DSPAUDJRNE after V5R4Mx. Second, DSPAUDJRNE does not support all of the available security entries, as the other two options do. Finally, the command doesn’t list all the fields for the entries that it does support. All of these facts point toward using the DSPAUDJRNE only in legacy situations. If you’re just getting started with i/OS Security Auditing, you may be better off using the DSPJRN or CPYAUDJRNE commands listed below.

    Using DSPAUDJRNE is easy. Simply type in DSPAUDJRNE on a command line and press F4 to prompt for its parameters. You’ll see a screen that looks like the following.

    DSPAUDJRNE’s parameters are few but adequate. You can choose to audit for 1-30 different journal code T audit entries, you can specify which journal receiver to extract the entries from, and you can specify the date and time to pull the journal entries for. For output, DSPAUDJRNE only prints the designated entries to a spooled file or displays them to the user’s screen, another drawback when compared against the other two commands. Overall, while DSPAUDJRNE does a fair job in extracting and processing auditing journal entries, it is definitely the lesser of the three commands.

    DSPJRN

    In contrast, DSPJRN, the Display Journal command, provides a lot more capabilities than DSPAUDJRNE. Perhaps because DSPJRN is geared toward retrieving records for any journal code, not just journal code T entries, and DSPJRN provides a number of different retrieval options. These options include:

    • Retrieve journal entries for specific files and objects, including an omit feature for telling DSPJRN which objects should be omitted from the output.
    • Name pattern matches for data to be returned.
    • Designate a specific number of journal entries to be returned with the output.
    • Specify which one-digit journal codes that DSPJRN should return entries for (A, B, T, etc.). As opposed to DSPAUDJRNE and CPYAUDJRNE, DSPJRN returns all the journal entries for a specific journal code. There is no option to only pull one or two journal entry types.
    • Specify journal entries to be retrieved for a specific job name or program.
    • Output the results to the display, a printer, or to an output file for use in another program.

    Like DSPAUDJRNE, DSPJRN is easy to use. Simply type DSPJRN on the command line and press F4 to prompt for the selection program. On the following screen, enter the system audit journal name (QAUDJRN) in the Journal name parameter (JRN) and then fill in the selection parameters to use when extracting the data.

    CPYAUDJRNE

    The Copy Audit Journal command, CPYAUDJRNE, was first introduced in i/OS V5R4Mx. CPYAUDJRNE is a charged-up version of DSPAUDJRNE that provides some significant advantages over DSPAUDJRNE. Like DSPAUDJRNE, CPYAUDJRNE only processes journal code T journal entries and it allows you to extract entries from specific journal receivers and for specific date ranges. You can also select entries that were generated by a specific user profile.

    Unlike DSPAUDJRNE, CPYAUDJRNE only outputs extracted data to an output file. It has no options for displaying data on the screen or to a spooled file. CPYAUDJRNE can also extract any or all of the journal code T entries, whereas DSPAUDJRNE can only extract the list of 30 entries that were present in earlier versions of i/OS and OS/400.

    To run Copy Audit Journal, type in the CPYAUDJRNE command and press F4 to prompt for its parameters. You’ll see a screen that looks something like this:

    Fill in the parameters you want to use and press ENTER to create your extract file. Generally, CPYAUDJRNE does all the things that DSPAUDJRNE does, only better and to an output file. The biggest disappointment with CPYAUDJRNE is that it doesn’t contain any of the broad selection parameters that are available in DSPJRN. Combining the two commands would have made for a really nice green-screen extraction tool. I guess IBM figures that if CPYAUDJRNE gives you the extraction, your analysis program can handle selection the records that you want to see.

    You Extract What You Ask For

    While not perfect, these tools can help you better understand some of the security issues on your partition. Give them a try and see if they can help you better understand what’s going on with your system.

    RELATED STORY

    Getting Started with i/OS Security Auditing, Part 1



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    PERFSCAN

    Revolutionary Performance Management Software

    At Greymine, we recognize there is a void in the IT world for a dedicated performance management company and also for a performance management tool that’s modern, easy to use, and doesn’t cost an arm and a leg. That’s why we created PERFSCAN.

    PERFSCAN is designed to make your job easier. With revolutionary technology, an easy-to-read report and graphics engine, and real time monitoring, tasks that used to take days can now take minutes. This means you will know your system better and will be able to provide better service to your customers.

    OUR FEATURES

    PERFSCAN is full of robust features that don’t require you to take a three-day class in order to use the product effectively.

    Customizable Performance Reporting

    Whether you are troubleshooting a major system problem or simply creating a monthly report, PERFSCAN lets you select any combination of desired performance metrics (CPU, Disk, and Memory).

    User Defined Performance Guidelines

    No matter if you are a managed service provider managing complex systems in the cloud or a customer analyzing your on-premises solution, PERFSCAN gives you the flexibility to define all mission critical guidelines how they need to be.

    Understanding The Impact Of Change

    Tired of all the finger pointing when performance is suffering? PERFSCAN’s innovative What’s Changed and Period vs. Period analysis creates a culture of proof by correlating known environmental changes with system performance metrics.

    Comprehensive Executive Summary

    Creating performance graphs is easy. Understanding what they mean is another thing. With one mouse click, PERFSCAN includes an easy-to-understand executive summary for each core metric analyzed.

    Combined Real-Time Monitor And Performance Analysis Tool

    With PERFSCAN’s combined built in enterprise real-time monitor and historical performance analysis capability, you will always know how your mission-critical systems are performing.

    Cloud Performance Reporting Is Easy

    Managing performance for production systems in the cloud can be a black hole to many system administrators. The good news is PERFSCAN analyzes all core metrics regardless of the location. That’s why MSPs and customers love PERFSCAN.

    Detailed Job Analysis

    PERFSCAN shows detailed top job analysis for any desired period. All metrics are displayed in two ways: Traditional Report and Percentage Breakdown Pie Chart. This toggle capability instantly shows the jobs using the most system resources.

    Save Report Capability

    Your boss lost the report you gave to him on Friday. Now what do you do? With PERFSCAN’s save report capability, any report can be retrieved in a matter of seconds.

    Professional PDF Reporting With Branding

    Creating professional looking reports for your customers has never been easier with PERFSCAN. Branding for our partners and service provider customers is easy with PERFSCAN.

    Check it out at perfscan.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Help/Systems:  FREE Webinar. Oct. 7, 9 a.m. CST. Robot/REPORTS: Satisfy Your Audit Requirements
    System i Developer:  RPG & DB2 Summit in Minneapolis, October 12-14 for 3 days of serious training
    COMMON:  Join us at the 2011 IT Executive Conference, May 1-3, in Minneapolis, MN

    IT Jungle Store Top Book Picks

    Easy Steps to Internet Programming for AS/400, iSeries, and System i: List Price, $49.95
    The iSeries Express Web Implementer's Guide: List Price, $49.95
    The System i RPG & RPG IV Tutorial and Lab Exercises: List Price, $59.95
    The System i Pocket RPG & RPG IV Guide: List Price, $69.95
    The iSeries Pocket Database Guide: List Price, $59.00
    The iSeries Pocket SQL Guide: List Price, $59.00
    The iSeries Pocket Query Guide: List Price, $49.00
    The iSeries Pocket WebFacing Primer: List Price, $39.00
    Migrating to WebSphere Express for iSeries: List Price, $49.00
    Getting Started With WebSphere Development Studio Client for iSeries: List Price, $89.00
    Getting Started with WebSphere Express for iSeries: List Price, $49.00
    Can the AS/400 Survive IBM?: List Price, $49.00
    Chip Wars: List Price, $29.95

    Tango/04 Touts International Sales IBM i Dominates the CPW Capacity Budget

    Leave a Reply Cancel reply

Volume 10, Number 30 -- October 6, 2010
THIS ISSUE SPONSORED BY:

SEQUEL Software
WorksRight Software
inFORM Decisions

Table of Contents

  • Automate E-Mail Operations with Outlook and VBA
  • USA Time Format in Query for i, Redux
  • Admin Alert: Getting Started with i/OS Security Auditing, Part 2

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Power10 Boosts NVM-Express Flash Performance
  • Fortra Completes Postmortem Of GoAnywhere Vulnerability
  • Guru: Binding Directory Entries
  • How Does Your Infrastructure Spending Stack Up To The World?
  • IBM i PTF Guide, Volume 25, Number 22
  • Fortra Issues 20th State of IBM i Security Report
  • FNTS Launches Managed Services for Power Servers in IBM Cloud
  • Total LTO Shipped Capacity Up Slightly in 2022
  • Four Hundred Monitor, May 24
  • Update On Critical Security Vulnerability In PowerVM

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2023 IT Jungle