TCP and UDP auditing

TCP connections, including the Telnet server, and UDP traffic in and out of the system are audited by enabling audit levels *NETSCK, *NETUDP, and *NETTELSVR.

TCP connections

TCP sockets connections are audited when audit level *NETSCK is enabled for system or user level auditing. A successful TCP connection that uses sockets produces two types of socket connection audit records, SK-A and SK-C. The SK-A record is created on the server when the accept() call completes successfully. The SK-C record is created on the client when the connect() call completes successfully.

The SK-A and SK-C audit records contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port

Telnet server

Telnet server socket connections are not audited when audit level *NETSCK is enabled. Instead, incoming connections to the Telnet server are audited when audit level *NETTELSVR is enabled for system value QAUDLVL or QAUDLVL2 audit levels. The audit value *NETTELSVR replaces the System Service Tools (SST) Advanced Analysis command IPCONFIG option skTelnetServerAudit used to configure auditing the Telnet server in releases before IBM i 7.3. Consider system configuration and resources before you enable SK auditing for the Telnet server as high client connect rates result in a high rate of audit record generation.

A successful Telnet connection produces an SK-A record when the Telnet server successfully accepts an incoming connection request. The SK-A records audit the same connection information as a TCP sockets connection.

UDP traffic

UDP sockets traffic is audited when audit level *NETUDP is enabled for system or user level auditing. UDP traffic that uses sockets produces two types of audit records, SK-O and SK-I. The SK-O record is created when an outbound UDP packet is sent, and the SK-I record is created when an inbound UDP packet is received.

The SK-I and SK-O audit records contain the following information:
  • Address family (IPv4 or IPv6)
  • Local IP address
  • Local port
  • Remote IP address
  • Remote port

For a UDP endpoint, a new audit record is generated once per UDP audit interval for each unique four-tuple for a packet that is sent or received. The four-tuple consists of the source and destination IP addresses and port numbers. The audit interval for UDP packets defaults to 12 hours, and is configurable through IPCONFIG with a range of 1 minute to 30 days. IPCONFIG option udpAuditInterval sets a time interval for repeating UDP audit records in minutes, hours, or days. IPCONFIG option -h displays the help panel that describes how to set the UDP audit interval option.

For example, to set the UDP audit interval to 2 hours, use this command: 
IPCONFIG -udpAuditInterval:2H