IBM Support

Security Level 40 Testing - QSECURITY

Question & Answer


Question

How to use the Security Audit Journal to test for Security Level 40. 

Answer

According to the Security Reference manual,  before moving from security level 30 to security level 40, you should turn on security auditing to find any trouble spots. This document describes how to turn on auditing and analyze the results.

Chapter 2 of the Security Reference  manual,  suggests paying particular attention to the following Authority Failure (AF) violation types:
  • B Restriction (blocked) instruction violation
  • C Object validation failure
  • D Unsupported interface (domain) violation
  • J Job-description and user-profile authorization failure
  • R Attempt to access protected area of disk (enhanced hardware storage protection)
  • S Default sign-on attempt
These codes indicate the presence of integrity exposures in your applications. At security level 40, these programs fail.

Steps

First, verify that the QAUDJRN journal exists and that you are tracking for Authority Failure and Program Failure operations. Use the DSPSECAUD command and make sure the following settings are configured on your system:
 
  Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . : *AUDLVL  
Current QAUDLVL system value  . . . . . . : *AUTFAIL *PGMFAIL
                                                                 
 
If not listed, use the CHGSECAUD command to add them to your system.  The values for the QAUDLVL system values *AUTFAIL and *PGMFAIL track the authority failures that can cause your application to fail at Security Level 40.
NOTE:  This SQL sample uses the AUDIT_JOURNAL_AF table function only available on Releases 7.3, 7.4 and 7.5.  For older releases, refer to the link at the bottom of this document.
NOTE 2: The SQL table function is available with the following PTFs:
  • R750:  Base, Enhanced: SF99950 Level 3
  • R740:  SF99704 Level 13, Enhanced: SF99704 Level 23
  • R730: SF99703 Level 24, Enhanced: SF99703 Level 26
Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP,
       JOB_NAME,
       JOB_USER,
       JOB_NUMBER,
       VIOLATION_TYPE,
       VIOLATION_TYPE_DETAIL,
       OBJECT_LIBRARY,
       OBJECT_NAME,
       OBJECT_TYPE,
       PROGRAM_NAME,
       PROGRAM_LIBRARY,
       VALIDATION_ERROR_ACTION
    FROM TABLE (
            SYSTOOLS.AUDIT_JOURNAL_AF(STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS)
        )
    WHERE VIOLATION_TYPE IN ('B', 'D', 'C', 'J', 'R', 'S')
image-20230322081446-1
Note 1: Modify the time and date on the query.
Based on the entries in the audit journal, take steps to correct your applications and prevent program failures.
Additional Information:
For older releases refer to:  
Authorization: The caller must have:
  • *USE authority to the audit journal and to all requested journal receivers, and
  • *OBJEXIST authority to the audit journal

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0"}]

Document Information

Modified date:
21 September 2023

UID

ibm16965236