• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • Get Your IBM i Audit On: Tips For A Smooth Deployment

    July 14, 2014 Alex Woodie

    In today’s highly regulated environment, little is left to chance–including the possibility your IBM i security is misconfigured. One way to keep ahead of the auditors’ wrath is to become familiar with the auditing functions of the IBM i platform and to ensure it is set up correctly for your particular needs. Jeff Uehling, IBM‘s security architect for IBM i, recently provided some auditing tips in a webinar hosted by PowerTech.

    The advent of regulations like PCI DSS, HIPAA, SOX, GLBA, and HITECH have raised the level of scrutiny on computer systems to uncomfortably high levels. While companies in the healthcare, retail, and financial services industries have borne the brunt of the regulatory oversight, just about every publicly traded company has been affected in some way or another.

    “We’ve certainly seen an explosion of audit and other security technology within our community,” Uehling said last week during the webinar. That’s good news for the HelpSystems‘ subsidiary, as well as the various other vendors that sell tools that simplify security and auditing on the platform. While the IBM i platform has powerful security and auditing capabilities–namely the QAUDJRN audit journal–they are not always easy to use.

    The QAUDJRN and related auditing functions have a close relationship with the IBM i security controls that determine what users can access which data and objects, and at what times and in what methods. That’s by design. One of the reasons IBM first added auditing to the platform way back with OS/400 V1R3 was to validate that the security plan was working. Big production Power Systems servers today will commonly have more than 30 applications running simultaneously, and staying on top of the constantly changing mix of users, data, and objects is too big of a task to be left solely to human administrators.

    IBM i security architect Jeff Uehling

    “It’s easy for things to get out of compliance,” Uehling said. “That’s why auditing is a big part of that, to make sure somebody hasn’t accidently opened up your data to have some user who should not be seeing it, authorized [to see the data]. Audit is a great way to go through and make sure your gathering the right information and validate it on the back end.”

    The QAUDJRN is a read-only lockbox (to borrow a phrase from Al Gore) that collects information about what objects and data users have accessed. The fact that it cannot be tampered with makes it an ideal way to ensure that system administrators with ALLOBJ authority and other special powers are not circumventing security controls on the platform in pursuit of fraudulent activity. It allows organizations to treat their administrators like Ronald Reagan treated the Soviets: trust, but verify.

    There are three main areas that IBM i auditing looks at: users, objects, and jobs. A system-wide auditing net can be set up to capture information about every job run on the system, including interactive, batch, and communication jobs. The platform also gives users the capability to audit specific objects, namely database files or IFS files or programs. Finally, user-specific auditing functions can also be set up to scrutinize the actions of particular users, such as the systems administrators and security officers that organizations are forced to trust.

    IBM i shops that want a fine-grained picture of all activities that powerful users or jobs performed while perusing systems–especially data files with sensitive information–will want to ensure that file journaling is turned on. While object auditing will detect whether a user or job accessed or viewed a file, it won’t necessarily tell the auditor what they did.

    “If you opened a database file for modification, you will get an audit record saying they opened a file for modification,” Uehling said. “But if you changed a million records in that file, you’re only going to get one audit record with no indication of what changed. So the capability for the security audit journal and the actual file journaling….will actually log every single modification made to the object type that you started journaling on… The combination …gives you a very nice complete audit trail.”

    While it is possible to audit every single activity of every user, job, and object on the system, that’s not the best way to configure auditing. “If you turn on every single capability to audit every action on the system, you’ll get gigabytes of data in a hurry,” Uehling says. “So an auditing plan is important. [You want to ask yourself], what are you trying to detect? Which users? What objects? What events should we audit, and what should we not audit? It all boils down to knowing where your sensitive data is.”

    About eight out of nine IBM i shops have the QAUDJRN auditing function turned on and are actively collecting data that can be used in an audit, according to PowerTech’s latest State Of IBM i Security report. When an IBM i shop turns on auditing for the first time, it can be rude awakening, said Robin Tatam, PowerTech’s director of security technologies.

    “The knee-jerk reaction that I see a lot of times is we go from auditing nothing to auditing everything, and we’re so inundated with audit traffic that people panic and they feel like they’re standing in front of a fire hose and they turn it back off,” said Tatam, who hosted last week’s webinar with Uehling.

    The best advice is to strive for a “happy medium” between the two extremes. A good place to start is by using the default settings that IBM provides with the OS. “There are a few other items that we tag,” Tatam said, in particular activity occurring over the network interfaces, like FTP and ODBC, which aren’t automatically monitored by the OS.

    Once you start collecting data in the QAUDJRN, the next question becomes: What do you do with it? It can be a daunting task to query the data in the QAUDJRN journal receivers in a meaningful way, in part due to the large volume of data inevitably stored there, and the cryptic formats. While IBM provides basic tools, as well as the capability to export the data to an external file, it mostly leaves this area open to third-party vendors.

    Uehling provided a link, www-03.ibm.com/systems/power/software/i/security/partner_showcase.html, where interested parties can peruse third-party security software solutions for IBM i. Among the products listed there that will assist with a QAUDJRN query are:

    • CILASOFT QJRN/400, which tracks the QAUDJRN;/li>
    • CXL‘s AZScan, which can audit the security of IBM i, Unix, VMS, and Oracle systems;/li>
    • Enforcive Information Systems‘ (formerly Bsafe) Cross Platform Audit, which provides field-level before and after images for IBM i, Windows, AIX and Linux platforms;/li>
    • Kisco Information Systems‘ iFileAudit, which tracks the file audit journal;/li>
    • PowerTech’s Compliance Monitor, which tracks and compresses the QAUDJRN;/li>
    • Raz-Lee Security‘s iSecurity iBi and AP-Journal, which track the QAUDRJRN
    • SkyView Partners‘ Audit Journal Reporter, which track the QAUDJRN
    • Trinity Guard‘s TGAuditor, which was designed specifically for auditors

    The most important thing is to get QAUDJRN auditing turned on, and start collecting those journal receivers (resist the temptation to delete them to clear up DASD!). Even if you have no immediate plans to do anything with the data, just having the audit log in your possession can be a great form of insurance.

    “If you don’t have it turned on, you definitely want to take a look at it,” Uehling said. “I can’t stress it enough. Get auditing turned on, archive the data as long as you can, save the journal receivers, and if you do have a situation where you find out that your network was penetrated a day ago, a week ago, an hour ago–that’s really the only data you have that might help you figure out what happened on your server.”

    RELATED STORIES

    State Of IBM i Security? Dismal As Usual, PowerTech Says

    Admin Alert: Getting Started with i/OS Security Auditing, Part 1

    Auditing of Sensitive Users and Objects



                         Post this story to del.icio.us
                   Post this story to Digg
        Post this story to Slashdot

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Admin Alerts: Old IBM i Backups, New Tricks DB2 for i 7.2 Features And Fun: Part 2

    Leave a Reply Cancel reply

Volume 24, Number 24 -- July 14, 2014
THIS ISSUE SPONSORED BY:

ARCAD Software
New Generation Software
System i Developer
Computer Keyes
WorksRight Software

Table of Contents

  • Counting The Cost Of Power8 Systems
  • Get Your IBM i Audit On: Tips For A Smooth Deployment
  • Small IBM i Shops Find Simple, Inexpensive Reporting Options
  • Mad Dog 21/21: Food Chain
  • IBM Wheels And Deals For Flex And Power Systems
  • IBM Ponies Up $3 Billion For Advanced Chip Research
  • Integrated Systems Sales Still Booming In Q1
  • Companies Look To Accelerate Tech Hiring A Bit
  • What You Don’t Know About SQL Won’t Hurt You
  • IBM i Community-Minded Planning

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle