Planning security auditing

Use this information to plan security auditing for your systems.

When monitoring your security, the operating system can log security events which occur on your system. These events are recorded in special system objects called journal receivers. You can set up journal receivers to record different types of security events, such as changing a system value or user profile, or an unsuccessful attempt to access an object.

The following values control which events are logged:
  • The audit control (QAUDCTL) system value
  • The audit level (QAUDLVL) system value
  • The audit level (AUDLVL) value in user profiles
  • The object auditing (OBJAUD) value in user profiles and objects
The information in the audit journals is used:
  • To detect attempted security violations.
  • To plan migration to a higher security level.
  • To monitor the use of sensitive objects, such as confidential files.

Commands are available to view the information in the audit journals in different ways.

The purpose of an audit is to detect and log activities that might compromise the security of your system. When you choose to log actions that occur on your systems, you might experience a trade-off in performance and, in some cases, loss of disk space.

To plan the use of security auditing on your system:
  • Determine which security-relevant events you want to record for all system users. The auditing of security-relevant events is called action auditing.
  • Check whether you need additional auditing for specific users.
  • Decide whether you want to audit the use of specific objects on the system.
  • Determine whether object auditing should be used for all users or specific users.

The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system. You use system values, user profile parameters, and object parameters to define auditing.

The security auditing function is optional. You must take specific steps to set up security auditing.

You can define auditing on your system at three different levels:
  • System-wide auditing that occurs for all users.
  • Auditing that occurs for specific objects.
  • Auditing that occurs for specific users.

When a security-related event that may be audited occurs, the system checks whether you have selected that event for audit. If you have, the system writes a journal entry in the current receiver for the security auditing journal (QAUDJRN in library QSYS).

Setting up security auditing
With security auditing, you can collect information about security events in the QAUDJRN journal.
Using the security audit journal
The security audit journal is the primary source of auditing information about the system. This section describes how to plan, set up, and manage security auditing, what information is recorded, and how to view that information.
Analyzing object and library authorities
You can audit the object and library authorities on your system.
Analyzing programs that adopt authority
Programs that adopt the authority of a user with *ALLOBJ special authority represent a security exposure. You can analyze these programs to audit the security of the system.
Analyzing user profiles
You can display or print a complete list of all the users on your system by using the Display Authorized Users (DSPAUTUSR) command.
Auditing the security officer's actions
You can keep a record of all actions performed by users with *ALLOBJ and *SECADM special authority for tracking purpose.