Planning security auditing
Use this information to plan security auditing for your systems.
When monitoring your security, the operating system can log security events which occur on your system. These events are recorded in special system objects called journal receivers. You can set up journal receivers to record different types of security events, such as changing a system value or user profile, or an unsuccessful attempt to access an object.
- The audit control (QAUDCTL) system value
- The audit level (QAUDLVL) system value
- The audit level (AUDLVL) value in user profiles
- The object auditing (OBJAUD) value in user profiles and objects
- To detect attempted security violations.
- To plan migration to a higher security level.
- To monitor the use of sensitive objects, such as confidential files.
Commands are available to view the information in the audit journals in different ways.
The purpose of an audit is to detect and log activities that might compromise the security of your system. When you choose to log actions that occur on your systems, you might experience a trade-off in performance and, in some cases, loss of disk space.
- Determine which security-relevant events you want to record for all system users. The auditing of security-relevant events is called action auditing.
- Check whether you need additional auditing for specific users.
- Decide whether you want to audit the use of specific objects on the system.
- Determine whether object auditing should be used for all users or specific users.
The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system. You use system values, user profile parameters, and object parameters to define auditing.
The security auditing function is optional. You must take specific steps to set up security auditing.
- System-wide auditing that occurs for all users.
- Auditing that occurs for specific objects.
- Auditing that occurs for specific users.
When a security-related event that may be audited occurs, the system checks whether you have selected that event for audit. If you have, the system writes a journal entry in the current receiver for the security auditing journal (QAUDJRN in library QSYS).
- Setting up security auditing
- With security auditing, you can collect information about security events in the QAUDJRN journal.
- Using the security audit journal
- The security audit journal is the primary source of auditing information about the system. This section describes how to plan, set up, and manage security auditing, what information is recorded, and how to view that information.
- Analyzing object and library authorities
- You can audit the object and library authorities on your system.
- Analyzing programs that adopt authority
- Programs that adopt the authority of a user with *ALLOBJ special authority represent a security exposure. You can analyze these programs to audit the security of the system.
- Analyzing user profiles
- You can display or print a complete list of all the users on your system by using the Display Authorized Users (DSPAUTUSR) command.
- Auditing the security officer's actions
- You can keep a record of all actions performed by users with *ALLOBJ and *SECADM special authority for tracking purpose.