SecureMyi.com Security and Systems Management Newsletter for the IBM i             September 10, 2014 - Vol 4, Issue 15
Security Training from SecureMyi.com


Security software from Powertech



Skyview Partners



Security Training from The 400 School

Feature Article

Auditing and Reporting the Use of CL Commands

By Dan Riehl - SecureMyi.com

When I discuss the topic of auditing, I'm referring to the IBM i auditing capability in which certain predefined activities or events cause an audit log record to be written as a formatted journal entry to the system's audit journal QAUDJRN. Auditing using QAUDJRN isn't automatically configured, so when you first start your system, you must configure the IBM i QAUDJRN auditing to meet your specific auditing requirements as defined by the system administrator, the security officer, the security policy, and your IT auditors.

Once you've configured your auditing environment, regular reporting of the QAUDJRN activities and events should be instituted to ensure adherence to policy. When audit journal entries are written to QAUDJRN, you have the sound basis needed to accurately analyze and report on current and historical events.

Even assuming a regular QAUDJRN reporting regimen, there will be occasions when you need to go back and dig out past events. These past events may have negatively affected your system, or you may want simply to check on who did what, when. For example, you may want to determine who changed Fred's user profile to assign him *ALLOBJ and *SECADM special authority. When did it occur, and how was it accomplished?

In cases like this, you can use forensic evaluation methods to extract the relevant audit entries from QAUDJRN to determine the culprit. In recent cases, I have been asked to use the QAUDJRN forensic reporting methods to solve some interesting mysteries, such as:

  • A particular user profile keeps becoming disabled. Why?
  • An RPG program ran correctly on Saturday but ended abnormally on Sunday. Did someone change the program between Saturday and Sunday?
  • Who changed the System Value QCRTAUT from *CHANGE to *ALL, and when did the change occur?
  • How did a new file end up in a library with incorrect private authorities, when the library's CRTAUT was specified correctly?
  • Who has used the UPDDTA(DFU) command, and what files were they viewing and potentially editing?
  • What CL commands were run from the command line by all *ALLOBJ users?
  • Who has run compiler commands (e.g., CRTRPGPGM, CRTBNDRPG, CRTCLPGM, etc.) to create new programs on the production system?

All these mysteries were successfully solved by using the forensic analysis of the QAUDJRN journal. It is important to note that I was able to analyze the audit entries because the customers were auditing the particular events that comprised these incidents. For example, if the auditing setup did not include the QAUDLVL system value inclusion of *SECURITY, I wouldn't have been able to discover who changed the system value QCRTAUT. Changes to system values are audited only when QAUDLVL contains the value *SECURITY or the sub-value *SECCFG.

Is Your System Ready to Start Command Auditing?

If you're unsure about the auditing settings on your IBM i, you can use the Display Security Auditing Values (DSPSECAUD) command. Run the command to discover the current auditing settings on your system. If you see from the DSPSECAUD display that the journal QAUDJRN doesn't exist, you need to configure the system to start auditing. The easiest way to configure auditing is to use the Change Security Auditing Values (CHGSECAUD) command.

To audit command usage on the i, you must configure the QAUDCTL system value to allow auditing. In the case of auditing command usage, the system value QAUDCTL should be set to include the value *OBJAUD. However, in a standard auditing environment, you typically set the QAUDCTL system value to include the three values *AUDLVL, *OBJAUD, and *NOQTEMP.

Read More . .

In This Issue


Featured Article - CL Command Auditing

Security Shorts - Insight into Your Groups

Featured Video - Limited Capabilities

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech
Security news and Events


Live Security Related Webcasts and Training for IBM i

September Events

Live Hands-On - IBM i Query Workshop for Technical Staff and End Users
with Dan Riehl

Training Workshop - Sep 23 - Presented by The 400 School, Inc.
Dan Riehl presents this Full-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Coffee with Carol: What's New in V7R2 Security!
Live Webcast - Presented by Skyview Partners
Wednesday, Sep 24 10:00am CDT
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - Sep 25-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded Control Language Programming Workshop
with Dan Riehl

Training Workshop - Sep 29-Oct 3 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

October Events

COMMON 2014 Fall Conference & Expo
October 27 - 29
Hyatt Regency Indianapolis • Indianapolis, Indiana
More Information and Register to Attend

November Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - Nov 3-7 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Security Audit and Vulnerability Assessment Workshop
      for IBM i, iSeries AS/400 with Dan Riehl

Training Workshop - Nov 11-14 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend





Skyview Partners




Security Training from The 400 School

Featured Educational Video

IBM i Security - Popular Misconceptions on User Limited Capabilities


Skyview Partners

Security Shorts

Quick Insight into Your Group Profiles

By Dan Riehl - SecureMyi.com

A member of a group profile inherits all authorities and special authorities from their group(s). In order to manage your groups, it's important to know what users are in those groups.

When you need a list of all the users who belong to a particular group profile, it's easy to get. Just use the DSPUSRPRF (Display User Profile) command as follows:

DSPUSRPRF USRPRF(GroupProfileName) TYPE(*GRPMBR)

For GroupProfileName, substitute the name of the group profile for which you want to list the group members.

If you want a full system listing of members of all group profiles you can use the command DSPAUTUSR(Display Authorized Users) as follows:

DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)

For a nice GUI look into your users and groups, IBM i Navigator for Windows( aka Operations Navigator) provides the nicest presentation.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming



Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

Security Training from The 400 School

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017