IBM Support

Setting Up Security Auditing

Troubleshooting


Problem

This document explains how to set up security auditing.

Resolving The Problem

To set up security auditing, do the following:

Note: To set up auditing, *AUDIT special authority is required.
1. To create a journal receiver in a library of your choice, on the operating system command line, type the following:

Note: This example uses the JRNLIB library for journal receivers.

CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) THRESHOLD(5000) +
AUT(*EXCLUDE) TEXT('Auditing Journal Receiver')


Press the Enter key. Put the journal receiver in a library that is saved regularly. Choose a journal receiver name that can be used to create a naming convention for future journal receivers, such as AUDRCV0001. You can use the *GEN option when you change journal receivers to continue the naming convention. Using this type of naming convention is also useful if you have the system manage changing your journal receivers. Specify a receiver threshold appropriate to your system size and activity. The size you specify should be based on the number of transactions on your system and the number of actions you audit. If you use system change-journal management support, the journal receiver threshold must be at least 5,000KB. For more information on journal receiver threshold, refer to the Backup and Recovery manual. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal.
2. To create the QSYS/QAUDJRN journal, on the operating system command line, type the following:

CRTJRN JRN(QSYS/QAUDJRN) JRNRCV(JRNLIB/AUDRCV0001) +
MNGRCV(*SYSTEM) DLTRCV(*NO) AUT(*EXCLUDE) TEXT('Auditing Journal')


The name QSYS/QAUDJRN must be used. Specify the name of the journal receiver you created in the previous step. Specify *EXCLUDE on the AUT parameter to limit access to the information stored in the journal. You must have authority to add objects to QSYS to create the journal. Use the Manage receiver (MNGRCV) parameter on the CRTJRN command to have the system change the journal receiver and attach a new one when the attached receiver exceeds the threshold specified when the journal receiver was created. If you choose this option, you do not have to use the CHGJRN command to detach receivers and create and attach new receivers manually. Do not have the system delete detached receivers. Specify DLTRCV(*NO), which is the default. The QAUDJRN receivers are your security audit trail. Ensure that they are adequately saved before deleting them from the system.

The Backup and Recovery manual provides more information about working with journals and journal receivers.
3. Set the audit level (QAUDLVL) system value using the WRKSYSVAL command. The QAUDLVL system value determines which actions are logged to the audit journal for all users on the system. See Planning the Auditing of Actions in Chapter 9 of the Security Reference manual.
4. Set action auditing for individual users, if necessary, using the CHGUSRAUD command. See Planning the Auditing of Actions in Chapter 9 of the Security Reference manual.
5. Set object auditing for specific objects if necessary using the CHGOBJAUD and CHGDLOAUD commands. If you have IFS objects, you can use the CHGAUD command. See Planning the Auditing of Object Access in Chapter 9 of the Security Reference manual.
6. Set object auditing for specific users if necessary using the CHGUSRAUD command.
7. Set the QAUDENDACN system value to control what happens if the system cannot access the audit journal. See Audit End Action in Chapter 9 of the Security Reference manual.
8. Set the QAUDFRCLVL system value to control how often audit records are written to auxiliary storage. See Preventing Loss of Auditing Information in Chapter 9 of the Security Reference manual.
9. Start auditing by setting the QAUDCTL system value to a value other than *NONE.

The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL system value to a value other than *NONE. When you start auditing, the system attempts to write a record to the audit journal. If the attempt is not successful, you receive a message and auditing does not start.
Note: The Change Security Auditing (CHGSECAUD) command can be used to perform Steps 1, 2, 3 and 9 shown above. The same function is available from the SECTOOLS menu using Option 10.

Security Reference

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"6.1.0"}]

Historical Number

4300805

Document Information

Modified date:
15 September 2020

UID

nas8N1014712