Admin Alert: Getting Started with i/OS Security Auditing, Part 2

October 6, 2010 Joe Hertvik

Last month, I discussed how to configure security auditing in an i/OS V5R4Mx environment. This issue, I’ll look at the other side of the equation and discuss what you can do with your security auditing data once you have it. I’ll look at some of the reporting facilities available on the system and how to take advantage of them.

Before Getting Started

If you’re just getting started, you may want to review part 1 of this series to make sure your iSeries, System i, or Power i box is configured correctly for security auditing. The techniques I’m presenting here will not work without having your basic security auditing configuration in place.

Three Ways To Retrieve Information

For i/OS V5R4Mx users, there are three ways to look at your security auditing data.

Use the Display Audit Journal Entry (DSPAUDJRNE) command.
Use the Display Journal (DSPJRN) command.
Use the Copy Audit Journal Entry command (CPYAUDJRNE) to extract the data into output files that can be queried.

All three commands have pros and cons. But before we look at the commands, let’s first talk about what we’re looking for.

The Raw Data

One of the differences in two of the audit retrieval commands are the journal entry types that are supported. To examine audit data, you will need to thin out all the auditing data that the operating system has gathered and only look at the specific journal entries that tell you what you need to know.

i/OS journal entries are defined by a one-digit journal code and a two-digit journal type. For journaling, IBM offers over hundreds of journal types under 16 different journal codes. You can find a list of all the different journal types in i/OS by looking at the Journal entries by code and type page in the i5/OS V5R4 Information Center. Fortunately, if you’re auditing system security, you only need to examine the journal code T (Audit Trail Entries) journal entries. Here is a list of some of the more common journal code T entries you may want to audit for.

All authority failures

Create, change, restore user profiles

Connection verification

DST security officer password reset

Intrusion monitor

Changes to the USER parameter of a job description

Changes to i/OS network
attributes

Directory search violations

Object restored

Changes to object ownership

Changes to programs that will now adopt the owner’s
authority

Passwords used that are not valid

Restore of objects when authority changes

Restore of job descriptions that contain user profile
names

Restore of objects where ownership information changes

Restore of programs that adopt their owner’s authority

Restore of authority for user profiles

A change was made to the System Directory

Changes to system values

Changes to access control lists

Connections started or ended

A logon or logoff operation on the network

A change was made to DLO change access

A change was made to object change access

Again, for a complete list of all journal code and journal type entries, see IBM’s list. Here’s how the different Audit commands stack up when you want to extract information from code T entries in your audit journal.

DSPAUDJRNE

Display Audit Journal (DSPAUDJRNE) is an older i/OS and OS/400 command. Unfortunately, DSPAUDJRNE’s age and IBM’s operating system plans are working against it. First, IBM stopped producing enhancements to DSPAUDJRNE after V5R4Mx. Second, DSPAUDJRNE does not support all of the available security entries, as the other two options do. Finally, the command doesn’t list all the fields for the entries that it does support. All of these facts point toward using the DSPAUDJRNE only in legacy situations. If you’re just getting started with i/OS Security Auditing, you may be better off using the DSPJRN or CPYAUDJRNE commands listed below.

Using DSPAUDJRNE is easy. Simply type in DSPAUDJRNE on a command line and press F4 to prompt for its parameters. You’ll see a screen that looks like the following.

DSPAUDJRNE’s parameters are few but adequate. You can choose to audit for 1-30 different journal code T audit entries, you can specify which journal receiver to extract the entries from, and you can specify the date and time to pull the journal entries for. For output, DSPAUDJRNE only prints the designated entries to a spooled file or displays them to the user’s screen, another drawback when compared against the other two commands. Overall, while DSPAUDJRNE does a fair job in extracting and processing auditing journal entries, it is definitely the lesser of the three commands.

DSPJRN

In contrast, DSPJRN, the Display Journal command, provides a lot more capabilities than DSPAUDJRNE. Perhaps because DSPJRN is geared toward retrieving records for any journal code, not just journal code T entries, and DSPJRN provides a number of different retrieval options. These options include:

Retrieve journal entries for specific files and objects, including an omit feature for telling DSPJRN which objects should be omitted from the output.
Name pattern matches for data to be returned.
Designate a specific number of journal entries to be returned with the output.
Specify which one-digit journal codes that DSPJRN should return entries for (A, B, T, etc.). As opposed to DSPAUDJRNE and CPYAUDJRNE, DSPJRN returns all the journal entries for a specific journal code. There is no option to only pull one or two journal entry types.
Specify journal entries to be retrieved for a specific job name or program.
Output the results to the display, a printer, or to an output file for use in another program.

Like DSPAUDJRNE, DSPJRN is easy to use. Simply type DSPJRN on the command line and press F4 to prompt for the selection program. On the following screen, enter the system audit journal name (QAUDJRN) in the Journal name parameter (JRN) and then fill in the selection parameters to use when extracting the data.

CPYAUDJRNE

The Copy Audit Journal command, CPYAUDJRNE, was first introduced in i/OS V5R4Mx. CPYAUDJRNE is a charged-up version of DSPAUDJRNE that provides some significant advantages over DSPAUDJRNE. Like DSPAUDJRNE, CPYAUDJRNE only processes journal code T journal entries and it allows you to extract entries from specific journal receivers and for specific date ranges. You can also select entries that were generated by a specific user profile.

Unlike DSPAUDJRNE, CPYAUDJRNE only outputs extracted data to an output file. It has no options for displaying data on the screen or to a spooled file. CPYAUDJRNE can also extract any or all of the journal code T entries, whereas DSPAUDJRNE can only extract the list of 30 entries that were present in earlier versions of i/OS and OS/400.

To run Copy Audit Journal, type in the CPYAUDJRNE command and press F4 to prompt for its parameters. You’ll see a screen that looks something like this:

Fill in the parameters you want to use and press ENTER to create your extract file. Generally, CPYAUDJRNE does all the things that DSPAUDJRNE does, only better and to an output file. The biggest disappointment with CPYAUDJRNE is that it doesn’t contain any of the broad selection parameters that are available in DSPJRN. Combining the two commands would have made for a really nice green-screen extraction tool. I guess IBM figures that if CPYAUDJRNE gives you the extraction, your analysis program can handle selection the records that you want to see.

You Extract What You Ask For

While not perfect, these tools can help you better understand some of the security issues on your partition. Give them a try and see if they can help you better understand what’s going on with your system.

Getting Started with i/OS Security Auditing, Part 1

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot