TCP and UDP auditing
TCP connections, including the Telnet server, and UDP traffic in and out of the system are audited by enabling audit levels *NETSCK, *NETUDP, and *NETTELSVR.
TCP connections
TCP sockets connections are audited when audit level *NETSCK is enabled for system or user level auditing. A successful TCP connection that uses sockets produces two types of socket connection audit records, SK-A and SK-C. The SK-A record is created on the server when the accept() call completes successfully. The SK-C record is created on the client when the connect() call completes successfully.
- Address family (IPv4 or IPv6)
- Local IP address
- Local port
- Remote IP address
- Remote port
Telnet server
Telnet server socket connections are not audited when audit level *NETSCK is
enabled. Instead, incoming connections to the Telnet server are audited when audit level
*NETTELSVR is enabled for system value QAUDLVL
or
QAUDLVL2
audit levels. The audit value *NETTELSVR replaces the
System Service Tools (SST) Advanced Analysis command IPCONFIG option
skTelnetServerAudit used to configure auditing the Telnet server in releases before
IBM i 7.3. Consider system configuration and resources before you enable SK auditing for the Telnet
server as high client connect rates result in a high rate of audit record generation.
A successful Telnet connection produces an SK-A record when the Telnet server successfully accepts an incoming connection request. The SK-A records audit the same connection information as a TCP sockets connection.
UDP traffic
UDP sockets traffic is audited when audit level *NETUDP is enabled for system or user level auditing. UDP traffic that uses sockets produces two types of audit records, SK-O and SK-I. The SK-O record is created when an outbound UDP packet is sent, and the SK-I record is created when an inbound UDP packet is received.
- Address family (IPv4 or IPv6)
- Local IP address
- Local port
- Remote IP address
- Remote port
For a UDP endpoint, a new audit record is generated once per UDP audit interval for each unique four-tuple for a packet that is sent or received. The four-tuple consists of the source and destination IP addresses and port numbers. The audit interval for UDP packets defaults to 12 hours, and is configurable through IPCONFIG with a range of 1 minute to 30 days. IPCONFIG option udpAuditInterval sets a time interval for repeating UDP audit records in minutes, hours, or days. IPCONFIG option -h displays the help panel that describes how to set the UDP audit interval option.
IPCONFIG -udpAuditInterval:2H