Note: Some of this section is adapted from an iSeries NEWS Magazine, July 2004 article “Common Sense Security Auditing” By Dan Riehl.)
Often, we want to know what powerful users are doing on the system. For example, is QSECOFR, or an alternate security officer-type profile, accessing sensitive data files?
To implement user auditing and specify what actions are to be recorded for that user, we employ the CHGUSRAUD (Change User Audit) command. The command's OBJAUD parameter deals specifically with auditing access to files and objects.
CHGUSRAUD USRPRF(user-id) +
OBJAUD(*NONE, *CHANGE, or *ALL) +
AUDLVL(*NONE or
*CMD, *CREATE, *DELETE,
*JOBDTA, *OBJMGT, *OFCSRV,
*PGMADP, *SAVRST, *SECURITY,
*SERVICE, *SPLFDTA, *SYSMGT)
If we specify *NONE for OBJAUD, recording of access to objects is controlled completely by the object itself. For instance, if the object's OBJAUD value is *NONE or *USRPRF, no auditing takes place.
If the object's OBJAUD value is set to *ALL, the system records all operations. If the OBJAUD value is set to *CHANGE, the system records only change operations.
If we specify *CHANGE or *ALL for the user profile's OBJAUD value, the system checks the object to see whether the object's OBJAUD value is set to *USRPRF. If that's true, then the user profile OBJAUD value takes control to record all accesses (or only change accesses) to the object.
In the scenario where we want to record sensitive object access only for certain users, we set the OBJAUD value in the object to *USRPRF and set the OBJAUD value in the user profile to *ALL or *CHANGE:
CHGOBJAUD OBJ(mylibrary/myfile) +
OBJTYPE(*FILE) +
OBJAUD(*USRPRF) +
CHGUSRAUD USRPRF(user-id) +
OBJAUD(*CHANGE, or *ALL)
Note: When first implementing auditing for objects, watch out for system performance degradation. Many times, when using the techniques described here, the performance impact may be negligible -- but not always. It may be that, due to performance problems, it will only be possible to turn on object auditing for a small sampling period (e.g., 20 minutes) to see which users are accessing certain objects.
The AUDLVL (auditing level) parameter of the CHGUSRAUD command lets us specify, for this user, which activities to audit. These values include all of the values discussed earlier in the CHGSECAUD command and their meaning is the same here. The auditing specified by the QAUDLVL parameter of the CHGSECAUD command will occur regardless of how the user auditing is configured. But by using the CHGUSRAUD command's AUDLVL parameter, we can specify additional events to audit for a particular user (Figure 2).
To help track the actions of a particular user, the CHGUSRAUD command allows us to specify several AUDLVL parameter values, as shown above. (Notice that we can audit all CL commands executed by the user.)
If we specify *CMD as one of the user's AUDLVL values, the system will audit every CL command executed by the user. For commands contained in CL programs that were created as *LOG(*NO) and ALWRTVCLSRC(*NO), the entire command string isn't logged, but at least the command name is logged.
Here is a common sense way to set up user auditing for a powerful or inquisitive user:
CHGUSRAUD USRPRF(user-id) +
OBJAUD(*CHANGE, or *ALL) +
AUDLVL(*CMD, *CREATE, *DELETE,
*JOBDTA, *OBJMGT, *OFCSRV,
*PGMADP, *SAVRST, *SECURITY,
*SERVICE, *SPLFDTA, *SYSMGT)
A simpler approach to auditing powerful users on the system may be to use PowerTech Authority Broker, a unique solution for protecting and auditing access to sensitive corporate assets. With Authority Broker, the number of profiles with special authorities on a system can be reduced without disrupting normal business activity. The profile swapping features of Authority Broker allows users to switch to higher authorities as needed and the product automatically turns on auditing for all of their actions.
Authority Broker efficiently monitors and limits the number of powerful users on a system. Managers can get regular reports of activity or even custom alerts when one of their staff switches to the powerful profile. More details are available at the product web page.
© 2010 The PowerTech Group, Inc.
All Rights Reserved