Once you have your security auditing properly configured, the system starts writing entries to the QAUDJRN journal. So how do you view the data you've collected to see who's doing what? There are two ways to view this data.
The first method is cumbersome and therefore not recommended:
From the AS/400 command line enter the command DSPAUDJRNE (Display Audit Journal) to view the journal entries:
DSPAUDJRNE ENTTYP(AF) OUTPUT(*)
Note: The ENTTYP parameter indicates the type of information you want to view.In the example above, we indicated the entry type as "AF," which displays authority failures. Using the DSPAUD JRNE command is a challenge because you need to know what journal entry types you want to view.
A much simpler approach (and the recommended method) is to use the predefined 'Log File' reports available in PowerTech's Compliance Monitor to review the entries in the journal. Compliance Monitor 'Log File' reports provide easy audit journal reporting - you don't need to know what journal entry type you want to view. Simply select a predefined 'Log File' report from the 'Report Groups' view (shown below).
Each 'Log File' report contains the following data fields (report columns):
1) A common set of data fields that is included in every journal entry type:
The following table lists the data fields that are common to all journal entry types. The program and job parameters refer to the programs and jobs that generated the audit entry. The abbreviation JE refers to Journal Entry.
Data Field |
Description |
ESD Formatted |
Entry specific data (Formatted by separating the parsed fields by a |) |
ESD Unformatted |
Entry specific data (unformatted) |
Jrn Code |
Journal Code. This is T for audit trail events and U for user defined events (typically PowerTech products) |
JE PGM Lib |
Program Library Name |
JE Program |
Program name |
JE Type |
A two letter code that defines the entry type |
System |
System name on which the entry was recorded |
Timestamp |
Unformatted time stamp of the journal entry |
JE Current User |
Current user profile |
JE Job Name |
Job name |
JE Job User |
Job user name |
JE Job Nbr |
Job number |
Entry Description |
A plain English summary of the journal entry. This is most useful for including on summary reports. |
2) Each 'Log File' report also contains different data fields that are obtained by parsing the entry specific data, which is the diverse information contained in the each audit journal entry type.
The data fields (report columns) found in the 'Log File' reports are consistent with IBM Audit Journal Entries. For detailed description of the journal entries and their descriptions, refer to the IBM Security Reference Publication (Appendix F).
Some of the more commonly used predefined Log File reports available in Compliance Monitor are detailed in the 'Audited Command Strings', 'Combined PowerTech Authority Broker Reports', 'Combined PowerTech Network Security Reports', 'System Value Changes', 'User Password Failures', and 'User Profile Changes' sections in this Guide.
Security events and a listing of all Compliance Monitor 'Log File' reports have been compiled below in the following two tables for your convenience and reference. The 'Security Events' table (includes Authority Broker and Network Security events), lists common security events by entry type, Compliance Monitor Report, code and description. The Compliance Monitor Log File Reports table provides a complete listing of all available Compliance Monitor Log File reports.
Security Events |
|||
Entry Type |
Compliance Monitor Report(s) |
QAUDLVL |
Entry Type Description |
AD |
Combined System Actions Object Auditing Changes |
*SECURITY
|
Auditing changes |
AF |
Authority Failures Combined Authority Actions |
*AUTFAIL
|
Authority failure |
AP |
Combined Authority Actions Obtaining Adoptive Authorities |
*PGMADP
|
Obtaining adopted authority |
AU |
Attribute Changes Combined System Actions |
*SECURITY
|
Attribute changes |
CA |
Combined Authority Actions |
*SECURITY |
Authority changes |
CD |
Audited Command Strings |
*CREATE |
Command string audit |
CO |
Combined Object Actions Objects Created |
*CREATE
|
Create object |
CP |
Combined Profile Actions User Profile Changes |
*SECURITY
|
User profile changed, created, or restored |
DO |
Combined Object Actions |
*DELETE |
Delete object |
DS |
Combined Profile Actions Combined System Actions Service Tools User Profile Resets |
*SECURITY
|
DST security password reset |
JD |
Combined Authority Actions |
*JOBDTA |
Change to user parameter of a job description |
JS |
Job Description Changes |
*JOBDTA |
Actions that affect jobs |
NA |
Combined Network Actions Combined System Actions Network Attribute Changes |
*NETCMN
|
Network attribute changed |
OM |
Combined Object Actions Object Management Changes |
*OBJMGT
|
Object move or rename |
OR |
Combined Object Actions Restored Object Ownership Changes Restored Objects |
*OBJMGT
|
Object restore |
OW |
Combined Authority Actions Combined Object Actions Object Ownership Changes |
*SECURITY
|
Object ownership changed |
PA |
Combined Authority Actions Programs Changed to Adopt Authority |
*PGMADP
|
Program changed to adopt authority |
PO |
Printer Outputs |
*PRTDTA |
Printed output |
PS |
Combined Profile Actions Profile Swap Actions |
*SECURITY
|
Profile swap |
PW |
Combined Authority Actions Combined Profile Actions User/Password Failures |
*AUTFAIL
|
Invalid password |
SE |
Combined Authority Actions Subsystem Routing Entry Changes |
*SECURITY
|
Subsystem routing entry changed |
SF |
Actions to Spooled Files |
*SPLFDTA |
Actions to spooled files |
SM |
Combined System Actions System Management Changes |
*SECURITY
|
System management changes |
ST |
Combined System Actions Service Tools Used |
*SERVICE
|
Use of service tools |
SV |
Combined Authority Actions Combined System Actions System Value Changes |
*SYSMGT
|
System value changed |
VL |
Combined System Actions Network Server Validation Errors |
*AUTFAIL
|
Account limit exceeded |
VP |
Combined Network Actions Network Password Errors |
*AUTFAIL
|
Network password error |
YC |
Combined Object Actions Document Library Object (DLO) Changes |
*SECURITY
|
DLO object accessed (change) |
YR |
Combined Object Actions Document Library Object (DLO) Changes |
*SECURITY
|
DLO object accessed (read) |
ZC |
Combined Object Actions |
*OBJMGT |
Object accessed (change) |
ZR |
Combined Object Actions Object Reads |
*OBJMGT
|
Object accessed (read) |
Authority Broker Security Events |
|||
Entry Type |
Compliance Monitor Report |
QAUDLVL |
Entry Type Description |
BG |
AB Profile Swap started Combined Profile Actions |
Authority Broker |
Authority Broker Events |
BH |
AB Begin Profile Switch Additional Information |
Authority Broker |
Authority Broker Events |
EN |
AB Profile Swap Ended Combined Profile Actions |
Authority Broker
|
Authority Broker Events |
ER |
AB Profile Swap erred Combined Profile Actions |
Authority Broker
|
Authority Broker Events |
FC |
AB Switch Attempt Failed FireCall Assigned |
Authority Broker
|
Authority Broker Events |
FL |
AB Profile Failed Combined Profile Actions |
Authority Broker
|
Authority Broker Events |
Network Security Events |
|||
Entry Type |
Compliance Monitor Report |
QAUDLVL |
Entry Type Description |
NA |
NS Transaction Accepted |
Network Security |
Network Security Events |
NR |
NS Transaction Rejected |
Network Security |
Network Security Events |
NF |
NS Transaction Failure |
Network Security |
Network Security Events |
The following is a full listing of Compliance Monitor Log File Reports:
Access control list changed (T:VA from QAUDJRN)
Audit Entry Type/Description:
VA = Changing an access control list
Action to spooled file (T:SF from QAUDJRN)
Audit Entry Type/Description:
SF = Actions to spooled files
APPN directory search filter (T:ND from QAUDJRN)
Audit Entry Type/Description:
ND = APPN directory search filter violation
APPN directory search filter (T:ND from QAUDJRN)
Audit Entry Type/Description:
ND = APPN directory search filter violation
Asynchronous signal action (T:SG from QAUDJRN)
Audit Entry Type/Description:
SG = Asynchronous Signals
Attributes changed (T:AU from QAUDJRN)
Audit Entry Type/Description:
AU = Attribute Changes
Audited command strings (T:CD from QAUDJRN)
Audit Entry Type/Description:
CD = Command String Audit
Authority failure occurred (T:AF from QAUDJRN)
Audit Entry Type/Description:
AF = Authority Failure
Changes to Change Request Description objects (T:CQ from QAUDJRN)
Audit Entry Type/Description:
CQ = Change of the *CRQD object
Changes to Change Request Description objects (T:CQ from QAUDJRN)
Audit Entry Type/Description:
CQ = Change of the *CRQD object
Authority Actions (T:AF, AP, CA, JD, OW, PA, PG, PW, RA, RJ, RO, RP, RU, RZ, SD, SE, SV, VA, VU from QAUDJRN)
Audit Entry Type/Description:
AF = Authority Failure
AP = Obtaining Adopted Authority
CA = Authority Changes
JD = Change to user parameter of a job description
OW = Object Ownership changed
PA = Program changed to adopt authority
PG = Change of an object's primary group
PW = Invalid Password
RA = Authority change during restore
RJ = Restoring job description with user profile specified
RO = Change of object owner during restore
RP = Restoring adopted authority program
RU = Restoring User profile authority
RZ = Changing a primary group during restore
SD = Changes to system distribution directory
SE = Subsystem routing entry changed
SV = System value changed
VA = Changing an access control list
VU = Changing a Network profile
Network Actions (T:CV, DI, GS, IR, LD, NA, ND, NE, SD, SK, VC, VF, VP, VR, VS, VU, VV, XO, X1, U:NA, NR, NF from QAUDJRN)
Audit Entry Type/Description:
CV = Connection Verification
DI = Directory Server
GS = Socket description was given to another job
IR = IP Rules Actions
LD = Link, unlink or look up directory entry
NA = Network attribute changed
ND = APPN directory search filter violation
NE = APPN end point filter violation
SD = Changes to system distribution directory
SK = Secure Sockets connections
VC = Starting or ending a connection
VF = Closing server files
VP = Network password error
VR = Network resource access
VS = Starting or ending a server session
VU = Changing a Network profile
VV = Changing service status
X0 = Network Authentication
X1 = Identify Token
NR = NS transaction rejected
NF = NS transaction failure
Object Actions (T:CO, CQ, DO, OM, OR, OW, PG, RO, RQ, YC, YR, ZC, ZR from QAUDJRN)
Audit Entry Type/Description:
CO = Create Object
CQ = Change of the *CRQD object
DO = Delete Object
OM = Object management change
OR = Object restore
OW = Object Ownership changed
PG = Change of an object's primary group
RO = Change of object owner during restore
RQ = Restoring a *CRQD object
YC = DLO object accessed (change)
YR = DLO object accessed (read)
ZC = Object accessed (change)
ZR = Object accessed (read)
Authority Broker events (U:BG, BH, EN, ER, FC, FL from QAUDJRN)
Audit Entry Type/Description:
BG = AB Profile Swap started
BH = AB Begin Profile Switch additional information
EN = AB Profile Swap ended
ER = AB Profile Swap erred
FC = AB Switch Attempt Failed
FL = AB Profile Swap failed
Network Security events (U:NA, NR, NF from QAUDJRN)
Audit Entry Type/Description:
NA = NS transaction accepted
NR = NS transaction rejected
NF = NS transaction failure
Profile Actions (T:CP,DS, PS, PW, RU, RZ, VU, U:BG, FL, EN, ER from QAUDJRN)
Audit Entry Type/Description:
CP = User profile changes…
DS = DST security password reset
PS = Profile Swap
PW = Invalid Password
RU = Restoring User profile authority
RZ = Changing a primary group during restore
VU = Changing a Network profile
BG = AB Profile Swap started
FL = AB Profile Swap failed
EN = AB Profile Swap ended
ER = AB Profile Swap erred
Combined report - This report shows all journal entries
Audit Entry Type/Description:
This report shows all journal entries
System Actions (T:AD, AU, CQ, DS, EV, IR, NA, SD, SM, ST, SV, VA, VL, VS, VV from QAUDJRN)
Audit Entry Type/Description:
AD = Change what is being audited
AU = Attribute Changes
CQ = Change of the *CRQD object
DS = DST security password reset
EV = System Environment variables
IR = IP Rules Actions
NA = Network attribute changed
SD = Changes to system distribution directory
SM = Systems management changes
ST = Use of service Tools
SV = System value changed
VA = Changing an access control list
VL = Account limit exceeded
VS = Starting or ending a server session
VV = Changing service status
Connection started or ended (T:VC from QAUDJRN)
Audit Entry Type/Description:
VC = Starting or ending a connection
Connection verification occurred (T:CV from QAUDJRN)
Audit Entry Type/Description:
CV = Connection Verification
Cryptographic configuration changes (T:CY from QAUDJRN)
Audit Entry Type/Description:
CY = Cryptographic Configuration
Directory link, unlink or search (T:LD from QAUDJRN)
Audit Entry Type/Description:
LD = Link, unlink or look up directory entry
Directory Server changes (T:DI from QAUDJRN)
Audit Entry Type/Description:
DI = Directory Server
Document library object (DLO) changed (T:YC from QAUDJRN)
Audit Entry Type/Description:
YC = DLO object accessed (change)
Document library object (DLO) read (T:YR from QAUDJRN)
Audit Entry Type/Description:
YR = DLO object accessed (read)
Dual file or directory optical access (T:O2 from QAUDJRN)
Audit Entry Type/Description:
O2 = Optical Access dual file or directory
Changes to Environment Variables (T:EV from QAUDJRN)
Audit Entry Type/Description:
EV = System Environment variables
Generic operations changes (T:GR from QAUDJRN)
Audit Entry Type/Description:
GR = Generic record
Identity token action (T:X1 from QAUDJRN)
Audit Entry Type/Description:
X1 = Identify Token
Internet security management negotiate (T:IS from QAUDJRN)
Audit Entry Type/Description:
IS = Internet Security Management
Interprocess communications occurred (T:IP from QAUDJRN)
Audit Entry Type/Description:
IP = Interprocess Communication
Intrusion monitoring (T:IM from QAUDJRN)
NOTE: Intrusion monitoring is a new intrusion detection capability that was introduced at V5R4 of i5/OS.
Audit Entry Type/Description:
IM = Intrusion Monitor
IP rules action taken (T:IR from QAUDJRN)
Audit Entry Type/Description:
IR = IP Rules Actions
Changes to jobs on the system (T:JS from QAUDJRN)
Audit Entry Type/Description:
JS = Actions that affect jobs
Changes to jobs on the system (T:JS from QAUDJRN)
Audit Entry Type/Description:
JS = Actions that affect jobs
Job descriptions that have been restored (T:RJ from QAUDJRN)
Audit Entry Type/Description:
RJ = Restoring job description with user profile specified
Key ring file changed (T:KF from QAUDJRN)
Audit Entry Type/Description:
KF = Key ring file
Changes to network attributes (T:NA from QAUDJRN)
Audit Entry Type/Description:
NA = Network attribute changed
Network authentication occurred (T:XO from QAUDJRN)
Audit Entry Type/Description:
XO = Network Authentication
Network log on or off (T:VN from QAUDJRN)
Audit Entry Type/Description:
VN = Logging on and off the network
Network password error (T:VP from QAUDJRN)
Audit Entry Type/Description:
VP = Network password error
Network profile changed (T:VU from QAUDJRN)
Audit Entry Type/Description:
VU = Changing a Network profile
Network resource accessed (T:VR from QAUDJRN)
Audit Entry Type/Description:
VR = Network resource access
Validation errors for a network server (T:VL from QAUDJRN)
Audit Entry Type/Description:
VL = Account limit exceeded
Changes to object level auditing (T:AD from QAUDJRN)
Audit Entry Type/Description:
AD = Audit changes
Object moved or renamed (T:OM from QAUDJRN)
Audit Entry Type/Description:
OM = Object management change
Objects that have changes owner (T:OW from QAUDJRN)
Audit Entry Type/Description:
OW = Object Ownership changed
Object's primary group changed (T:PG from QAUDJRN)
Audit Entry Type/Description:
PG = Change of an object's primary group
Object reads (T:ZR from QAUDJRN)
Audit Entry Type/Description:
ZR = Object accessed (read)
Object created or replaced (T:CO from QAUDJRN)
Audit Entry Type/Description:
CO = Create Object
Obtaining adopted authorities (T:AP from QAUDJRN)
Audit Entry Type/Description:
AP = Obtaining Adopted Authority
Office services mail action (T:ML from QAUDJRN)
Audit Entry Type/Description:
ML = Office services mail actions
PowerTech Authority Broker Begin Swap (U:BG from QAUDJRN)
Audit Entry Type/Description:
BG = AB Profile Swap started
PowerTech Authority Broker Begin Swap Additional Information (U:BH from QAUDJRN)
Audit Entry Type/Description:
BH = AB Begin Profile Switch Additional Information
PowerTech Authority Broker End Swap (U:EN from QAUDJRN)
Audit Entry Type/Description:
EN = AB Profile Swap ended
PowerTech Authority Broker Fail (U:FL from QAUDJRN)
Audit Entry Type/Description:
FL = AB Profile Swap failed
PowerTech Authority Broker FireCall (U:FC from QAUDJRN)
Audit Entry Type/Description:
FC = FireCall Assigned
PowerTech Authority Broker Swap Error (U:ER from QAUDJRN)
Audit Entry Type/Description:
ER = AB Profile Swap erred
PowerTech Network Security Network Accepts (U:NA from QAUDJRN)
Audit Entry Type/Description:
NA = NS transaction accepted
PowerTech Network Security Network Failures (U:NF from QAUDJRN)
Audit Entry Type/Description:
NF = NS transaction failure
PowerTech Network Security Network Rejects (U:NR from QAUDJRN)
Audit Entry Type/Description:
NR = NS transaction rejected
Primary group change for restored object (T:RZ from QAUDJRN)
Audit Entry Type/Description:
RZ = Changing a primary group during restore
Printer output (T:PO from QAUDJRN)
Audit Entry Type/Description:
PO = Printed output
Profile swap action (T:PS from QAUDJRN)
Audit Entry Type/Description:
PS = Profile Swap
Program changed to adopt authority (T:PA from QAUDJRN)
Audit Entry Type/Description:
PA = Program changed to adopt authority
Restored object authority changed (T:RA from QAUDJRN)
Audit Entry Type/Description:
RA = Authority change during restore
Object ownership when restored (T:OR from QAUDJRN)
Audit Entry Type/Description:
OR = Object restore
Object restored (T:OR from QAUDJRN)
Audit Entry Type/Description
OR = Object restore
Restored program adopts authority (T:RP from QAUDJRN)
Audit Entry Type/Description:
RP = Restoring adopted authority program
Secure socket connection action (T:SK from QAUDJRN)
Audit Entry Type/Description:
SK = Secure Sockets connections
Self-organizing feature map (SOM) access (T:ZM from QAUDJRN)
Audit Entry Type/Description:
ZM = SOM method access
Server files closed (T:VF from QAUDJRN)
Audit Entry Type/Description:
VF = Closing server files
Server security user information action (T:SO from QAUDJRN)
Audit Entry Type/Description:
SO = Server security user information actions
Server session started or stopped (T:VS from QAUDJRN)
Audit Entry Type/Description:
VS = Starting or ending a server session
Service status changed (T:VV from QAUDJRN)
Audit Entry Type/Description:
VV = Changing service status
Service tools used (T:ST from QAUDJRN)
Audit Entry Type/Description:
ST = Use of service Tools
Changes to service tools users (T:DS from QAUDJRN)
Audit Entry Type/Description:
DS = DST security password reset
Single file or directory optical access (T:O1 from QAUDJRN)
Audit Entry Type/Description:
01 = Optical Access, single file or directory
Socket descriptor given or received (T:GS from QAUDJRN)
Audit Entry Type/Description:
GS = Socket description was given to another job
Subsystem routing entry changed (T:SE from QAUDJRN)
Audit Entry Type/Description:
SE = Subsystem routing entry changed
System distribution directory changed (T:SD from QAUDJRN)
Audit Entry Type/Description:
SD = Changes to system distribution directory
System management change (T:SM from QAUDJRN)
Audit Entry Type/Description:
SM = Systems management changes
System value changes (T:SV from QAUDJRN)
Audit Entry Type/Description:
SV = System value changed
User/Password Failures on the system (T:PW from QAUDJRN)
Audit Entry Type/Description:
PW = Invalid Password
User profile authority restored (T:RU from QAUDJRN)
Audit Entry Type/Description:
RU = Restoring User profile authority
User profile changed, created or restored (T:CP from QAUDJRN)
Audit Entry Type/Description:
CP = User profile changes…
Validation list action (T:VO from QAUDJRN)
Audit Entry Type/Description:
VO = Validation list actions
Volume optical access (T:O3 from QAUDJRN)
Audit Entry Type/Description:
03 = Optical Access Volume
© 2010 The PowerTech Group, Inc.
All Rights Reserved