Auditing the Security Officer s Actions You may want to keep a record of all actions performed by users with

*ALLOBJ and *SECADM special authority. You can use the action auditing value in the user profile to do this: 1. For each user with *ALLOBJ and *SECADM special authority, use the CHGUSRAUD command to set the AUDLVL to have all values that are not included in the QAUDLVL or QAUDLVL2 system values on your system. For example, if the QAUDLVL system value is set to *AUTFAIL, *PGMFAIL, *PRTDTA, and *SECURITY, use this command to set the AUDLVL for a security officer user profile: CHGUSRAUD USER((SECUSER) AUDLVL(*CMD *CREATE *DELETE + *OBJMGT *OFCSRV *PGMADP + *SAVRST *SERVICE, + *SPLFDTA *SYSMGT) Note: Table 125 on page 229 shows all the possible values for action auditing. Remove the *AUDIT special authority from user profiles with *ALLOBJ and *SECADM special authority. This prevents these users from changing the auditing characteristics of their own profiles. Note: You cannot remove special authorities from the QSECOFR profile. Therefore, you cannot prevent a user signed on as QSECOFR from changing the auditing characteristics of that profile. However, if a user signed on as QSECOFR uses the CHGUSRAUD command to change auditing characteristics, an AD entry type is written to the audit journal. It is recommended that security officers (users with *ALLOBJ or *SECADM special authority) use their own profiles for better auditing. The password for the QSECOFR profile should not be distributed. Make sure the QAUDCTL system value includes *AUDLVL. Use the DSPJRN command to review the entries in the audit journal using the Analyzing Audit Journal Entries with Query or a Program on page 255.

2.

3. 4.

Analyzing Audit Journal Entries with Query or a Program Overview: Purpose: Display or print selected information from journal entries. How To: DSPJRN OUTPUT(*OUTFILE), Create query or program, or Run query or program Authority: *USE authority to QSYS/QAUDJRN, *USE authority to journal receiver, or *ADD authority to library for output file

You can use the Display Journal (DSPJRN) command to write selected entries from the audit journal receivers to an output file. You can use a program or a query to view the information in the output file. For the output parameter of the DSPJRN command, specify *OUTFILE. You see additional parameters prompting you for information about the output file: All security-related entries in the audit journal contain the same heading information, such as the entry type, the date of the entry, and the job that caused the entry. The QADSPJR5 (with record format QJORDJE5) is provided to define these fields when you specify *TYPE5 as the outfile format parameter. See Table 152 on page 489 for more information. For more information on other records and their outfile formats see Appendix F. If you want to perform a detailed analysis of a particular entry type, use one of the model database outfiles provided. For example, to create an output file called AUDJRNAF in QGPL that includes only authority failure entries:

1. 2. 3.

Create an empty output file with the format defined for AF journal entries: CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) + OBJTYPE(*FILE) TOLIB(QGPL) NEWOBJ(AUDJRNAF5) Use the DSPJRN command to write selected journal entries to the output file: DSPJRN JRN(QAUDJRN) ... + JRNCDE(T) ENTTYP(AF) OUTPUT(*OUTFILE) + OUTFILFMT(*TYPE5) OUTFILE(QGPL/AUDJRNAF5) Use Query or a program to analyze the information in the AUDJRNAF file. Table 126 on page 233 shows the name of the model database outfile for each entry type. Appendix F shows the file layouts for each model database outfile.

Following are a few examples of how you might use QAUDJRN information: v If you suspect someone is trying to break into your system: 1. Make sure the QAUDLVL system value includes *AUTFAIL. 2. Use the CRTDUPOBJ object command to create an empty output file with the QASYPWJ5 format. 3. A PW type journal entry is logged when someone enters an incorrect user ID or password on the Sign On display. Use the DSPJRN command to write PW type journal entries to the output file. 4. Create a query program that displays or prints the date, time, and workstation for each journal entry. This information should help you determine where and when the attempts are occurring. If you want to test the resource security you have defined for a new application: 1. Make sure the QAUDLVL system value includes *AUTFAIL. 2. Run application tests with different user IDs. 3. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format. 4. Use the DSPJRN command to write AF type journal entries to the output file. 5. Create a query program that displays or prints information about the object, job and user. This information should help you to determine what users and application functions are causing authority failures. If you are planning a migration to security level 40: 1. Make sure the QAUDLVL system value includes *PGMFAIL and *AUTFAIL. 2. Use the CRTDUPOBJ object command to create an empty output file with the QASYAFJ5 format. 3. Use the DSPJRN command to write AF type journal entries to the output file. 4. Create a query program that selects the type of violations you are experiencing during your test and prints information about the job and program that causes each entry.