Auditing Level Extension (QAUDLVL2)
The Auditing Level Extension (QAUDLVL2) system value is required when more than sixteen auditing values are needed.
Specifying *AUDLVL2 as one of the values in the QAUDLVL system value will cause the system to also look for auditing values in the QAUDLVL2 system value. You can specify more than one value for the QAUDLVL2 system value, unless you specify *NONE. For the QAUDLVL2 system value to take effect, the QAUDCTL system value must include *AUDLVL and the QAUDLVL system value must include *AUDLVL2.
Note: This
system value is a restricted value. See Security system values for
details on how to restrict changes to security system values and a
complete list of the restricted system values.
| Value | Description |
|---|---|
| *NONE | No auditing values are contained in this system value. |
| *NOTAVL | This value is displayed to indicate that the system value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The system value cannot be set to this value. |
| *ATNEVT | Attention events are logged. |
| *AUTFAIL | Authority failure events are logged. |
| *CREATE | Object create operations are logged. |
| *DELETE | Object delete operations are logged. |
| *JOBBAS | Job base functions are audited. |
| *JOBCHGUSR | Changes to a thread's active user profile or its group profiles are audited. |
| *JOBDTA | Actions that affect a job are logged. *JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is specified. |
| *NETBAS | Network base functions are audited. |
| *NETCLU | Cluster and cluster resource group operations are audited. |
| *NETCMN | Network and communication functions are audited. *NETCMN is composed of several values to allow you to better customize your auditing. The following values make up *NETCMN: *NETBAS
*NETCLU *NETFAIL The Mail and DHCP functions from *NETSCK |
| *NETFAIL | Network failures are audited. |
| *NETSCK | Socket tasks are audited. Note: Telnet server connections are
not audited as part of *NETSCK. Use *NETTELSVR along with *NETSCK if Telnet server connections
should be audited.
Note: To audit all TCP and UDP connections in and out of
the system specify *NETSCK, *NETUDP, and *NETTELSVR.
|
| *NETSECURE | Secure network connections are audited. Note: This implies
traffic flowing over the connection is now protected by a security protocol known to the system. The
system explicitly audits System SSL/TLS and IPsec from operating system code responsible for
creating the secure connection. IPsec entries for UDP are created using the same frequency as
defined for *NETUDP. The system implicitly audits some non-operating system implemented security
protocols by inspecting application layer data as it flows through the Sockets APIs.
Note:
When *NETTELSVR is also specified, telnet secure network connections are audited.
|
| *NETTELSVR | Telnet Server connections are audited. Note: Telnet clients
can be configured to retry the connection attempt after an attempt to establish a session is
unsuccessful. These Telnet clients will retry indefinitely until the conditions causing the session
to fail are eliminated. This can generate a large number of Telnet server audit journal entries.
Note: To audit all TCP and UDP connections in and out of the system specify *NETSCK,
*NETUDP, and *NETTELSVR.
|
| *NETUDP | User Datagram Protocol (UDP) traffic is audited. Note: UDP
traffic for the same local and remote address and port is audited only once every 12 hours by
default. Refer to The
IPCONFIG macro for details on how to change the default interval.
Note: To audit all
TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.
|
| *OBJMGT | Object move and rename operations are logged. |
| *OFCSRV | Changes to the system distribution directory and office mail actions are logged. |
| *OPTICAL | Use of Optical Volumes is logged. |
| *PGMADP | Obtaining authority from a program that adopts authority is logged. |
| *PGMFAIL | System integrity violations are logged. |
| *PRTDTA | Printing a spooled file, sending output directly to a printer, and sending output to a remote printer are logged. |
| *PTFOBJ | Changes to PTF objects are logged. |
| *PTFOPR | PTF operations are logged. |
| *SAVRST | Restore operations are logged. |
| *SECCFG | Security configuration is audited. |
| *SECDIRSRV | Changes or updates when doing directory service functions are audited. |
| *SECIPC | Changes to interprocess communications are audited. |
| *SECNAS | Network authentication service actions are audited. |
| *SECRUN | Security run time functions are audited. |
| *SECSCKD | Socket descriptors are audited. |
| *SECURITY | Security-related functions are logged. *SECURITY is composed of several values to allow you to better customize your auditing. The following values make up *SECURITY: *SECCFG
*SECDIRSRV *SECIPC *SECNAS *SECRUN *SECSCKD *SECVFY *SECVLDL |
| *SECVFY | Use of verification functions are audited. |
| *SECVLDL | Changes to validation list objects are audited. |
| *SERVICE | Using service tools is logged. |
| *SPLFDTA | Actions performed on spooled files are logged. |
| *SYSMGT | Use of systems management functions is logged. |