Admin Alert: Getting Started with i/OS Security Auditing, Part 2

October 6, 2010 Joe Hertvik

Last month, I discussed how to configure security auditing in an i/OS V5R4Mx environment. This issue, I’ll look at the other side of the equation and discuss what you can do with your security auditing data once you have it. I’ll look at some of the reporting facilities available on the system and how to take advantage of them.

Before Getting Started

If you’re just getting started, you may want to review part 1 of this series to make sure your iSeries, System i, or Power i box is configured correctly for security auditing. The techniques I’m presenting here will not work without having your basic security auditing configuration in place.

Three Ways To Retrieve Information

For i/OS V5R4Mx users, there are three ways to look at your security auditing data.

Use the Display Audit Journal Entry (DSPAUDJRNE) command.
Use the Display Journal (DSPJRN) command.
Use the Copy Audit Journal Entry command (CPYAUDJRNE) to extract the data into output files that can be queried.

All three commands have pros and cons. But before we look at the commands, let’s first talk about what we’re looking for.

The Raw Data

One of the differences in two of the audit retrieval commands are the journal entry types that are supported. To examine audit data, you will need to thin out all the auditing data that the operating system has gathered and only look at the specific journal entries that tell you what you need to know.

i/OS journal entries are defined by a one-digit journal code and a two-digit journal type. For journaling, IBM offers over hundreds of journal types under 16 different journal codes. You can find a list of all the different journal types in i/OS by looking at the Journal entries by code and type page in the i5/OS V5R4 Information Center. Fortunately, if you’re auditing system security, you only need to examine the journal code T (Audit Trail Entries) journal entries. Here is a list of some of the more common journal code T entries you may want to audit for.

All authority failures

Create, change, restore user profiles

Connection verification

DST security officer password reset

Intrusion monitor

Changes to the USER parameter of a job description

Changes to i/OS network
attributes

Directory search violations

Object restored

Changes to object ownership

Changes to programs that will now adopt the owner’s
authority

Passwords used that are not valid

Restore of objects when authority changes

Restore of job descriptions that contain user profile
names

Restore of objects where ownership information changes

Restore of programs that adopt their owner’s authority

Restore of authority for user profiles

A change was made to the System Directory

Changes to system values

Changes to access control lists

Connections started or ended

A logon or logoff operation on the network

A change was made to DLO change access

A change was made to object change access

Again, for a complete list of all journal code and journal type entries, see IBM’s list. Here’s how the different Audit commands stack up when you want to extract information from code T entries in your audit journal.

DSPAUDJRNE

Display Audit Journal (DSPAUDJRNE) is an older i/OS and OS/400 command. Unfortunately, DSPAUDJRNE’s age and IBM’s operating system plans are working against it. First, IBM stopped producing enhancements to DSPAUDJRNE after V5R4Mx. Second, DSPAUDJRNE does not support all of the available security entries, as the other two options do. Finally, the command doesn’t list all the fields for the entries that it does support. All of these facts point toward using the DSPAUDJRNE only in legacy situations. If you’re just getting started with i/OS Security Auditing, you may be better off using the DSPJRN or CPYAUDJRNE commands listed below.

Using DSPAUDJRNE is easy. Simply type in DSPAUDJRNE on a command line and press F4 to prompt for its parameters. You’ll see a screen that looks like the following.

DSPAUDJRNE’s parameters are few but adequate. You can choose to audit for 1-30 different journal code T audit entries, you can specify which journal receiver to extract the entries from, and you can specify the date and time to pull the journal entries for. For output, DSPAUDJRNE only prints the designated entries to a spooled file or displays them to the user’s screen, another drawback when compared against the other two commands. Overall, while DSPAUDJRNE does a fair job in extracting and processing auditing journal entries, it is definitely the lesser of the three commands.

DSPJRN

In contrast, DSPJRN, the Display Journal command, provides a lot more capabilities than DSPAUDJRNE. Perhaps because DSPJRN is geared toward retrieving records for any journal code, not just journal code T entries, and DSPJRN provides a number of different retrieval options. These options include:

Retrieve journal entries for specific files and objects, including an omit feature for telling DSPJRN which objects should be omitted from the output.
Name pattern matches for data to be returned.
Designate a specific number of journal entries to be returned with the output.
Specify which one-digit journal codes that DSPJRN should return entries for (A, B, T, etc.). As opposed to DSPAUDJRNE and CPYAUDJRNE, DSPJRN returns all the journal entries for a specific journal code. There is no option to only pull one or two journal entry types.
Specify journal entries to be retrieved for a specific job name or program.
Output the results to the display, a printer, or to an output file for use in another program.

Like DSPAUDJRNE, DSPJRN is easy to use. Simply type DSPJRN on the command line and press F4 to prompt for the selection program. On the following screen, enter the system audit journal name (QAUDJRN) in the Journal name parameter (JRN) and then fill in the selection parameters to use when extracting the data.

CPYAUDJRNE

The Copy Audit Journal command, CPYAUDJRNE, was first introduced in i/OS V5R4Mx. CPYAUDJRNE is a charged-up version of DSPAUDJRNE that provides some significant advantages over DSPAUDJRNE. Like DSPAUDJRNE, CPYAUDJRNE only processes journal code T journal entries and it allows you to extract entries from specific journal receivers and for specific date ranges. You can also select entries that were generated by a specific user profile.

Unlike DSPAUDJRNE, CPYAUDJRNE only outputs extracted data to an output file. It has no options for displaying data on the screen or to a spooled file. CPYAUDJRNE can also extract any or all of the journal code T entries, whereas DSPAUDJRNE can only extract the list of 30 entries that were present in earlier versions of i/OS and OS/400.

To run Copy Audit Journal, type in the CPYAUDJRNE command and press F4 to prompt for its parameters. You’ll see a screen that looks something like this:

Fill in the parameters you want to use and press ENTER to create your extract file. Generally, CPYAUDJRNE does all the things that DSPAUDJRNE does, only better and to an output file. The biggest disappointment with CPYAUDJRNE is that it doesn’t contain any of the broad selection parameters that are available in DSPJRN. Combining the two commands would have made for a really nice green-screen extraction tool. I guess IBM figures that if CPYAUDJRNE gives you the extraction, your analysis program can handle selection the records that you want to see.

You Extract What You Ask For

While not perfect, these tools can help you better understand some of the security issues on your partition. Give them a try and see if they can help you better understand what’s going on with your system.

Getting Started with i/OS Security Auditing, Part 1

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Tags:

Revolutionary Performance Management Software

At Greymine, we recognize there is a void in the IT world for a dedicated performance management company and also for a performance management tool that’s modern, easy to use, and doesn’t cost an arm and a leg. That’s why we created PERFSCAN.

PERFSCAN is designed to make your job easier. With revolutionary technology, an easy-to-read report and graphics engine, and real time monitoring, tasks that used to take days can now take minutes. This means you will know your system better and will be able to provide better service to your customers.

OUR FEATURES

PERFSCAN is full of robust features that don’t require you to take a three-day class in order to use the product effectively.

Customizable Performance Reporting

Whether you are troubleshooting a major system problem or simply creating a monthly report, PERFSCAN lets you select any combination of desired performance metrics (CPU, Disk, and Memory).

User Defined Performance Guidelines

No matter if you are a managed service provider managing complex systems in the cloud or a customer analyzing your on-premises solution, PERFSCAN gives you the flexibility to define all mission critical guidelines how they need to be.

Understanding The Impact Of Change

Tired of all the finger pointing when performance is suffering? PERFSCAN’s innovative What’s Changed and Period vs. Period analysis creates a culture of proof by correlating known environmental changes with system performance metrics.

Comprehensive Executive Summary

Creating performance graphs is easy. Understanding what they mean is another thing. With one mouse click, PERFSCAN includes an easy-to-understand executive summary for each core metric analyzed.

Combined Real-Time Monitor And Performance Analysis Tool

With PERFSCAN’s combined built in enterprise real-time monitor and historical performance analysis capability, you will always know how your mission-critical systems are performing.

Cloud Performance Reporting Is Easy

Managing performance for production systems in the cloud can be a black hole to many system administrators. The good news is PERFSCAN analyzes all core metrics regardless of the location. That’s why MSPs and customers love PERFSCAN.

Detailed Job Analysis

PERFSCAN shows detailed top job analysis for any desired period. All metrics are displayed in two ways: Traditional Report and Percentage Breakdown Pie Chart. This toggle capability instantly shows the jobs using the most system resources.

Save Report Capability

Your boss lost the report you gave to him on Friday. Now what do you do? With PERFSCAN’s save report capability, any report can be retrieved in a matter of seconds.

Professional PDF Reporting With Branding

Creating professional looking reports for your customers has never been easier with PERFSCAN. Branding for our partners and service provider customers is easy with PERFSCAN.

Check it out at perfscan.com

Tango/04 Touts International Sales IBM i Dominates the CPW Capacity Budget

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search