Socket connection auditing

Socket connection auditing gives users the ability to log socket connections that flow into and out of IBM i partitions. Security auditing can audit a wide variety of network connections and traffic with sockets connection (SK) journal entries.

Security auditing includes the ability to audit TCP sockets in addition to UDP traffic by using a combination of audit levels simultaneously.

Telnet server connections are audited by using a special Telnet audit level to allow the user to audit Telnet server connections separately from other TCP connections. The high number of clients that can connect to the Telnet server and the quick reconnect rates of some Telnet clients would result in a high rate of audit record generation on a system.

Users can audit secure traffic with a secure socket connection audit level. System TLS connections can be audited to determine what protocols and cipher suites are being used on the system. One use of auditing secure connections is to identify vulnerable algorithms and ensure that the correct levels of security are being used on the system to protect socket connections. Secure and non-secure TCP connections can be audited at the same time to determine which connections are secure by referencing the IP addresses and ports in the audit records generated.

The secure socket connection audit function also includes auditing VPN Internet Key Exchange (IKE) negotiations and IP Security (IPsec) connections. Secure UDP traffic is audited as well using the secure socket connection audit level.

The many options for socket connection auditing give users the ability to gain a thorough understanding of network traffic and security on their systems. As security requirements continue to increase, auditing is a useful tool to analyze potential exposures and determine what security is being used to protect network traffic.

Socket connection auditing allows a user to audit specific traffic on the system based on the auditing levels enabled. The following table describes the different socket connection audit level values and how they are used.

Table 1. Socket connection auditing system values
Action auditing value Description Available on QAUDLVL/QAUDLVL2 system values Available on CHGUSRAUD command Detailed SK journal entry type Detailed description
*NETSCK TCP connections are audited. Note: Telnet server connections are not audited. Yes Yes A Accept - A TCP socket connection was accepted.
C Connect - A TCP socket connection was established.
*NETUDP UDP traffic is audited. Yes Yes I Inbound - An inbound UDP packet was received.
O Outbound - An outbound UDP packet was sent.
*NETTELSVR Telnet server connections are audited. Yes No A Accept - An inbound Telnet connection was accepted.
*NETSECURE Secure socket connections are audited. Yes Yes S Success - A secure connection was negotiated successfully.
X Fail - A secure connection failed to negotiate.