Security Auditing Level
Importance: High
Purpose: This system value determines which important system events are audited. The recommended settings will provide a fairly complete view of important system events that are worthy of tracking.
This view is invaluable during the course of an investigation of events gone awry. Setting these audit values on will raise the level of confidence that you can track a problem to it's original source. A complete discussion of the merits of auditing to the security audit journal is provided in the common sense auditing section.
PowerTech recommends setting this value to include all of the settings marked HIGH in the table below:
|
*AUTFAIL |
HIGH |
Log Authority failures |
|
*DELETE |
HIGH |
Log deletion of objects |
|
*OBJMGT |
HIGH |
Log object management changes |
|
*SYSMGT |
HIGH |
Log changes to certain system management areas |
|
*SAVRST |
HIGH |
Log restore actions to security sensitive objects |
|
*SECURITY |
HIGH |
Log security related changes |
|
*SERVICE |
HIGH |
Log usage of the system and hardware service tools |
|
*PGMFAIL |
HIGH |
Log Program failures caused by security violations |
|
*CREATE |
MEDIUM |
Log creation of new objects |
|
*JOBDTA |
MEDIUM |
Log job events such as start and stop |
|
*PGMADP |
MEDIUM |
Log usage of programs that adopt authority |
|
*NETCMN |
LOW |
Log APPN firewall events |
|
*OFCSRV |
LOW |
Log Office Vision/400 security changes |
|
*OPTICAL |
LOW |
Log usage of optical storage devices |
|
*PRTDTA |
LOW |
Log printing functions |
|
*SPLFDTA |
LOW |
Log usage of spooled files (reports) |
If QAUDCTL is set to *NONE, the values of QAUDLVL are not significant since the system will not audit any activity.
Note: QAUDLVL2 was introduced in V5R3. It allows for more granular control of the security and network communications settings.
QAUDLVL and its V5R3 tagalong, QAUDLVL2, describe what kinds of events are to be audited on your system if *AUDLVL is set in the QAUDCTL system value just described. These values are shipped as *NONE, but it is strongly recommended that you turn on some of these parameters in order to create a permanent security audit log.
Prior to V5R3, only QAUDLVL existed, and the minimum recommended set of parameters were *AUTFAIL, *DELETE, *OBJMGT, *PGMFAIL, *SAVRST, *SECURITY, *SERVICE, and *SYSMGT. This group of values provided important information about the behavior of users and applications, without inundating you with non-valuable data. But in V5R3 and after, IBM went a step above and beyond. IBM not only added some new auditing parameters, such as V5R4's Attention Events (*ATNEVT), but also separated some transaction types out of overburdened values, such as *NETCMN and *SECURITY. The *SECURITY parameter, for example, allows you to get more granular when describing what kinds of security data you want to log, including security configurations (*SECCFG), security runtime actions (*SECRUN), and inter-process communications (*SECIPC). These welcome additions trim the amount of audit data to that which is most important.
Keep in mind that if you want to use the QAUDLVL2 system value to store the names of parameter options, you have to make QAUDLVL2 one of the QAUDLVL parameter options.
Risks and Concerns: System Auditing will cause many entries to be logged to the journal QAUDJRN. It is important that the journal receivers that are attached to this journal be saved to tape and deleted or freed on a regular basis.
|
*PGMADP via the QAUDLVL system value While we believe that the adoption of authority
can be a security issue, we also feel program adoption is |