SecureMyi.com Security and Systems Management Newsletter for the IBM i                 May 8, 2013 - Vol 3, Issue 28
Live Online Workshops - from The 400 School


Security software



Security? See how SKYVIEW PARTNERS can help!


Feature Article

Auditing Control Language Command Usage

By Dan Riehl

When I discuss the topic of auditing, I'm referring to the IBM i auditing capability in which certain predefined activities or events cause an audit log record to be written as a formatted journal entry to the system's audit journal QAUDJRN. Auditing using QAUDJRN isn't automatically configured, so when you first start your system, you must configure the IBM i QAUDJRN auditing to meet your specific auditing requirements as defined by the system administrator, the security officer, the security policy, and your IT auditors.

Once you've configured your auditing environment, regular reporting of the QAUDJRN activities and events should be instituted to ensure adherence to policy. When audit journal entries are written to QAUDJRN, you have the sound basis needed to accurately analyze and report on current and historical events.

Even assuming a regular QAUDJRN reporting regimen, there will be occasions when you need to go back and dig out past events. These past events may have negatively affected your system, or you may want simply to check on who did what, when. For example, you may want to determine who changed Fred's user profile to assign him *ALLOBJ and *SECADM special authority. When did it occur, and how was it accomplished?

In cases like this, you can use forensic evaluation methods to extract the relevant audit entries from QAUDJRN to determine the culprit. In recent cases, I have been asked to use the QAUDJRN forensic reporting methods to solve some interesting mysteries, such as:

  • A particular user profile keeps becoming disabled. Why?
  • An RPG program ran correctly on Saturday but ended abnormally on Sunday. Did someone change the program between Saturday and Sunday?
  • Who changed the System Value QCRTAUT from *CHANGE to *ALL, and when did the change occur?
  • How did a new file end up in a library with incorrect private authorities, when the library's CRTAUT was specified correctly?
  • Who has used the UPDDTA(DFU) command, and what files were they viewing and potentially editing?
  • What CL commands were run from the command line by all *ALLOBJ users?
  • Who has run compiler commands (e.g., CRTRPGPGM, CRTBNDRPG, CRTCLPGM, etc.) to create new programs on the production system?

All these mysteries were successfully solved by using the forensic analysis of the QAUDJRN journal. It is important to note that I was able to analyze the audit entries because the customers were auditing the particular events that comprised these incidents. For example, if the auditing setup did not include the QAUDLVL system value inclusion of *SECURITY, I wouldn't have been able to discover who changed the system value QCRTAUT. Changes to system values are audited only when QAUDLVL contains the value *SECURITY or the sub-value *SECCFG.

Read about the details of Auditing and Reporting from QAUDJRN

In This Issue


Featured Article - Audit CL Commands

Featured Video - Steal Your User Profile!

Security Shorts - QAUDJRN Reporting

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    Safestone Technologies

    Skyview Partners, Inc

Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter




Follow SecureMyi on YouTube






Security software

IBM i Security News

Townsend Security Releases Short Educational
Data Privacy Videos for Business Leaders
Townsend Security is launching a unigue data privacy education campaign with three short videos: Why is Unprotected Data a Business Problem?, What is Encryption Key Management?, and Encryption Key Management for the Cloud.
Information and view the Videos

10th Anniversary: PowerTech's "State of IBM i Security Study 2013"
Recorded Webcast - Sponsored by PowerTech
Robin Tatam, Director of Security Technologies for PowerTech, reveals the
latest results from a decade of ongoing research into the security configuration of IBM i.
Pre-Recorded Webcast from Wednesday, May 1, 2013.
More Information and View the Recorded Webcast



IBM i Security Calendar of Events


Live Security Related Webcasts and Training for IBM i

Top Security and Privacy Concerns with BYOD (Bring Your Own Device)
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, May 22 10:00am CDT
More Information and Register to Attend


Live Hands-On IBM i Security Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - May 21 - 24
Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop.
More Information and Register to Attend


Live Hands-On IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - June 17-21
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend





Security? See how SKYVIEW PARTNERS can help!



Featured YouTube Educational Video

IBM i Security

Yes, I Can Steal Your User Profile!

Featured Video - Misconceptions on Ownership and Authority to User Profiles

Security Shorts -

Alternate QAUDJRN Extraction Method

By Dan Riehl

In the above Feature Article "Auditing CL Command Usage". I explain how you can extract information from the system QAUDJRN audit journal to provide a formatted output file containing events, such as when a System Value is changed. In that article, I show a method that uses a combination of two commands, Create Duplicate Object (CRTDUPOBJ) and Display Journal (DSPJRN). The information extracted is all the events in which a System Value was changed.

The CRTDUPOBJ command is used to create a usable copy of the IBM-supplied model file for the SV Type of Journal Entries. Once the usable copy of the IBM model file is created with CRTDUPOBJ, the command DSPJRN is used to extract the SV journal entries from QAUDJRN and place them into our copy of the IBM model output file, thereby letting us use simple query tools or download to Excel to evaluate the System Value Change events.

There IS Another, and Possibly Easier, Method

While this is one way to extract the data and place it into a usable format, IBM has also provided an alternative method, which you might choose over the two-step method I use in the Feature Article.

In release V5R4, IBM introduced the CL command Copy Audit Journal Entries (CPYAUDJRNE). The command, in effect, replaces the older Display Audit Journal Entries (DSPAUDJRNE) command, which only let you print a list of the QAUDJRN journal entries; and the printed list is often missing key data elements from the journal entry.

CPYAUDJRNE helps you extract data from the system audit journal (QAUDJRN) and place that data into an entry-specific output file. It would be nice if the new command had the same filtering capability as the more capable DSPJRN command. It lets you filter only by journal entry type, user, journal receivers or from-date/time to-date/time.

The DSPJRN command allows additional selection criteria over CPYAUDJRNE, such as Program name and Job that caused the System Value change. However, if you do not need that extra filtering, I recommend using CPYAUDJRNE over the two-step method of CRTDUPOBJ and DSPJRN.

The output file(s) created by the CPYAUDJRNE command is journal-entry–type specific, so you end up with the same result as explained in my Feature article that uses the two-step approach.

Here's an example of using CPYAUDJRNE to extract the SV (System Value Change) entries for the date and time period specified in the command.


CPYAUDJRNE   ENTTYP(SV) OUTFILE(MYAUDIT/A0512)
             JRNRCV(*CURCHAIN)
             FROMTIME('04/19/2013' '04:00:00')
             TOTIME('04/20/2013' '04:00:00')

This command creates an output file named A0512SV, which contains the SV entries for the time period. You can then use IBM's Query or another query tool to present the data the way you want it. For example, to list all the System Value Changes for that time period, you could use the command:

RUNQRY QRYFILE((MYAUDIT/A0512SV))

You can review The 6.1 CPYAUDJRNE command documentation here.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop



Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017