Auditing doesn't need to be scary if you have the right tools.

We seem to be getting a lot of questions about i5/OS auditing functions lately. I'm guessing it's because several laws and regulations either require or strongly suggest that certain activity and file accesses be "logged." Logging in the i5/OS and "i" world is known as "auditing." So I thought I'd answer some of the questions we're receiving.

Many operating systems have a simple file where log information is kept. While the access to this file may be controlled, entries can generally be modified or deleted; therefore, some regulations--such as the Payment Card Industry's Data Security Standards--require that logs be protected from modification. This is not necessary with i5/OS.

Where Is the Log (or Audit) Information Kept?

i5/OS auditing is implemented via journals. The journal is not where the data is kept. Rather, the actual audit journal entries are kept in an object called a journal receiver. The IBM developers chose to implement i5/OS auditing using a journal and a journal receiver because you cannot modify or remove entries from a journal receiver. Thus, you can be assured of the integrity of the data journal data.

To manage the information in the log (that is, the QAUDJRN journal), you manage the journal receivers. You cannot clear a journal receiver. Rather, you save them and then delete them from the system. Even if you could clear a journal receiver (which you can't), you wouldn't want to. Why? Because you want to be able to retrieve the data should you require it for forensic or investigative purposes. You may need to modify your backup strategy to ensure you are saving all journal receivers associated with QAUDJRN and are doing so in a way that allows you to easily retrieve them from your long-term storage if the requirement arises.

How Do I Enable Auditing?

You turn on auditing by specifying either *OBJAUD or *AUDLVL in the QAUDCTL system value. This system value is the "On/Off" switch for auditing. If this value is *NONE, auditing is not active.

To turn on action auditing, such as the logging of authority failures, invalid sign-on attempts, deletion of objects, etc., modify the QAUDLVL system value. Some actions produce more audit journal entries than others. To determine the types of actions that cause an audit journal entry to occur, check out Chapter 9 of the Security Reference manual (available from the IBM Information Center.)

How Can I Get Information from the i5/OS Audit Journal?

A couple of methods exist for retrieving information from the audit journal.

You can run the DSPAUDJRNE command. The default is to look for the AF (authority failure) entries. The result is just a subset of the information from the AF audit journal entries. However, there is often enough information to determine what caused a particular entry to be generated.

If you want more of the information that's in the audit journal entry or if you see *N as the object name (indicating that the object is in the IFS), then you must dump the audit journal entries to an outfile and query the results.

To do that, create a duplicate of the model outfile for the audit journal entry type:

CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)

Here, xx is the audit journal entry type you're looking for. In the case of an authority failure, it would be AF.

Then, display the audit journal to an outfile:

DSPJRN JRN(QAUDJRN) FROMTIME('09/25/06') JRNCDE((T)) ENTTYP(xx) +

OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYxxJ5)     

Now you can display the file or run a query or SQL statement to see all fields in the audit journal. V5R4 provides a command, CPYAUDJRNE, that combines CRTDUPBOJ and DSPJRN into one command. The audit journal model outfiles are described in Appendix F of the Security Reference manual, available from the IBM Information Center.

How Can Policy Minder Help?

If you have initialized the system value category, SkyView Policy Minder brings in the current auditing system values settings and establishes those as your policy. If any of those values change, a Policy Minder compliance check of the system value category identifies the changes.

How Can Risk Assessor Help?

In the system value section of the main SkyView Risk Assessor report, the auditing system values are explained, and our recommended setting for each system value is provided.

Can Auditing Be Done Easily?

With the tools from SkyView, auditing is simple!