Admin Alert: Getting Started with i/OS Security Auditing, Part 2
October 6, 2010 Joe Hertvik
Last month, I discussed how to configure security auditing in an i/OS V5R4Mx environment. This issue, I’ll look at the other side of the equation and discuss what you can do with your security auditing data once you have it. I’ll look at some of the reporting facilities available on the system and how to take advantage of them.
Before Getting Started
If you’re just getting started, you may want to review part 1 of this series to make sure your iSeries, System i, or Power i box is configured correctly for security auditing. The techniques I’m presenting here will not work without having your basic security auditing configuration in place.
Three Ways To Retrieve Information
For i/OS V5R4Mx users, there are three ways to look at your security auditing data.
All three commands have pros and cons. But before we look at the commands, let’s first talk about what we’re looking for.
The Raw Data
One of the differences in two of the audit retrieval commands are the journal entry types that are supported. To examine audit data, you will need to thin out all the auditing data that the operating system has gathered and only look at the specific journal entries that tell you what you need to know.
i/OS journal entries are defined by a one-digit journal code and a two-digit journal type. For journaling, IBM offers over hundreds of journal types under 16 different journal codes. You can find a list of all the different journal types in i/OS by looking at the Journal entries by code and type page in the i5/OS V5R4 Information Center. Fortunately, if you’re auditing system security, you only need to examine the journal code T (Audit Trail Entries) journal entries. Here is a list of some of the more common journal code T entries you may want to audit for.
Again, for a complete list of all journal code and journal type entries, see IBM’s list. Here’s how the different Audit commands stack up when you want to extract information from code T entries in your audit journal.
Display Audit Journal (DSPAUDJRNE) is an older i/OS and OS/400 command. Unfortunately, DSPAUDJRNE’s age and IBM’s operating system plans are working against it. First, IBM stopped producing enhancements to DSPAUDJRNE after V5R4Mx. Second, DSPAUDJRNE does not support all of the available security entries, as the other two options do. Finally, the command doesn’t list all the fields for the entries that it does support. All of these facts point toward using the DSPAUDJRNE only in legacy situations. If you’re just getting started with i/OS Security Auditing, you may be better off using the DSPJRN or CPYAUDJRNE commands listed below.
Using DSPAUDJRNE is easy. Simply type in DSPAUDJRNE on a command line and press F4 to prompt for its parameters. You’ll see a screen that looks like the following.
DSPAUDJRNE’s parameters are few but adequate. You can choose to audit for 1-30 different journal code T audit entries, you can specify which journal receiver to extract the entries from, and you can specify the date and time to pull the journal entries for. For output, DSPAUDJRNE only prints the designated entries to a spooled file or displays them to the user’s screen, another drawback when compared against the other two commands. Overall, while DSPAUDJRNE does a fair job in extracting and processing auditing journal entries, it is definitely the lesser of the three commands.
In contrast, DSPJRN, the Display Journal command, provides a lot more capabilities than DSPAUDJRNE. Perhaps because DSPJRN is geared toward retrieving records for any journal code, not just journal code T entries, and DSPJRN provides a number of different retrieval options. These options include:
Like DSPAUDJRNE, DSPJRN is easy to use. Simply type DSPJRN on the command line and press F4 to prompt for the selection program. On the following screen, enter the system audit journal name (QAUDJRN) in the Journal name parameter (JRN) and then fill in the selection parameters to use when extracting the data.
The Copy Audit Journal command, CPYAUDJRNE, was first introduced in i/OS V5R4Mx. CPYAUDJRNE is a charged-up version of DSPAUDJRNE that provides some significant advantages over DSPAUDJRNE. Like DSPAUDJRNE, CPYAUDJRNE only processes journal code T journal entries and it allows you to extract entries from specific journal receivers and for specific date ranges. You can also select entries that were generated by a specific user profile.
Unlike DSPAUDJRNE, CPYAUDJRNE only outputs extracted data to an output file. It has no options for displaying data on the screen or to a spooled file. CPYAUDJRNE can also extract any or all of the journal code T entries, whereas DSPAUDJRNE can only extract the list of 30 entries that were present in earlier versions of i/OS and OS/400.
To run Copy Audit Journal, type in the CPYAUDJRNE command and press F4 to prompt for its parameters. You’ll see a screen that looks something like this:
Fill in the parameters you want to use and press ENTER to create your extract file. Generally, CPYAUDJRNE does all the things that DSPAUDJRNE does, only better and to an output file. The biggest disappointment with CPYAUDJRNE is that it doesn’t contain any of the broad selection parameters that are available in DSPJRN. Combining the two commands would have made for a really nice green-screen extraction tool. I guess IBM figures that if CPYAUDJRNE gives you the extraction, your analysis program can handle selection the records that you want to see.
You Extract What You Ask For
While not perfect, these tools can help you better understand some of the security issues on your partition. Give them a try and see if they can help you better understand what’s going on with your system.