May 9, 2012 - Vol 2, Issue 8 Security Workshop

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Forensic Analysis using QAUDJRN Part 2

Tracing User Activity

By Dan Riehl

In this second installment of the series dealing with forensic analysis by using the QAUDJRN journal, the focus is on the forensic analysis of user activity. I discuss how to audit and report on various activities performed by a particular user, and I also show how to audit and report on security-related events caused by all users. As examples, I examine how to audit and report on every time QSECOFR changes a system value, and I also discuss how to audit and report on every occurrence in which any user deletes any object.

Auditing Revisited

I encourage you to review the previous article in this series (" Forensic Analysis Using QAUDJRN, Part 1: CL Command Usage" from the February 1, 2012 Issue of the SecureMyi Security Newsletter), which discusses the basics of auditing and reporting from the system security audit journal QAUDJRN.

In order to begin reporting on security related activities, you must first configure your system to perform the auditing functions you need. The system values QAUDCTL and QAUDLVL must be set for your desired level of auditing, and the QAUDJRN journal must have been created on your system.

Every security-related event that occurs on your system is tied to a particular user. In this article, the focus is on reporting on the activities performed by a user.

Usually, we want to report on the activities of our powerful users such as QSECOFR and system administrator users. Powerful IT users and other users with command-line access have the freedom to navigate the system outside of the constraints of a menu system that would otherwise confine their activities to those allowed by their menu options. Having said that, let me also say that you can audit and report on the activities of any user, regardless of the user's power or ability to navigate the system.

When you want to be able to audit and report on the activities of a particular user, you must first decide which events you're interested in collecting. If you don't care whether someone moves a spooled file report from one output queue to another, or if you don't care when a program adopts authority, it affects your choices when configuring auditing. If you want to be able to track each time a new library is created on the system or every time a file is deleted, it likewise affects your auditing configuration. The events that can be audited are described by a combination of the allowable values for the system values QAUDLVL and QAUDLVL2, and the allowable values for the AUDLVL attribute of each user profile.

Read More

In This Issue

Feature Article - Forensic Analysis with QAUDJRN - Tracing User Activity

Featured Video- Misconceptions on User Ownership & Authority

Security Shorts- Alternate QAUDJRN Extraction Method

Industry News and Calendar

Security Resources

Security Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH

Please Visit Our Sponsors

Platinum Sponsor
      The 400 School, Inc

Gold Sponsor
      Skyview Partners, Inc

      FastPass Corp

      Cilasoft Security Solutions

      Software Engineering of America

IBM i Security and Audit Resources

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Featured YouTube Educational Video

IBM i Security

Misconceptions on Ownership and Authority to User Profiles

Featured Video - Misconceptions on Ownership and Authority to User Profiles

IBM i Security News Bytes

Cilasoft Introduces "Elevated Authority Manager" For IBM i
Elevated Authority Manager(EAM) is a software solution that allows IT managers to temporarily give specific authorities to selected users. To further manage the process, the included reporting and alerting features of EAM lets IT managers know the precise actions performed by users during the period they have been granted any special authority.
Download the EAM Brochure in pdf format

Raz-Lee Launches into the Database Universe with Revolutionary "DB-Gate"
Raz-Lee Security has releases a unique database access product, DB-Gate, which enables IBM i (AS/400) users to connect to virtually any type of remote database or data source without any middleware (software or hardware). This patent-pending technology utilizes standard SQL statements and works from all native SQL commands and programming languages.
View the Press Release for More Information on DB-Gate

Arpeggio Software releases new Version of SIFT-IT Free Edition
SIFT-IT is a QAUDJRN monitoring and alerting tool for the IBM i (AS/400).
More Information, and Download SIFT-IT Free

New Book - Now Shipping - IBM i Security Administration and Compliance
By Carol Woodbury
The Book is Now Shipping - You can Order your copy at the MCPress Online Bookstore
More Information and order from MCPress Online.

Free - New White Paper "How Much Security is Enough?"
Skyview Partners released the newest of its IBM i Security-Based White Papers by Carol Woodbury
Download the Free White Paper

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Webinar - Implementing Security Best Practices for the IBM i
Featuring Carol Woodbury - Sponsored by Skyview Partners
Thursday May 17 1:00 PM EDT
More Information and Register to Attend

Webinar - The 2012 State of IBM i Security Study
Sponsored by PowerTech
Wednesday May 30 1:00 PM CDT
PowerTech releases the findings of its yearly IBM i Security Study in this live presentation. It is Always "Eye Opening" and thought provoking for us Security folks.
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

Security Related Seminars and Conferences for IBM i

May 6-9 - - COMMON User Group - Annual Conference and Expo - Anaheim, CA

June 9-12 - - COMMON Europe Congress of 2012
Common Europe is Celebrating their 50Th Anniversary Conference, held in Vienna, Austria

SEA On Demand Learning

Skyview Partners - Security Checkup from Skyview Partners

Security Shorts

Alternative to Extracting and Formatting QAUDJRN

By Dan Riehl

In the above Feature Article "Forensic Analysis using QAUDJRN Part 2". I explain how you can extract information from the system QAUDJRN audit journal to provide a formatted output file containing events, such as when a System Value is changed. In that article, I show a method that uses a combination of two commands, Create Duplicate Object (CRTDUPOBJ) and Display Journal (DSPJRN). The information extracted is all the events in which a System Value was changed.

The CRTDUPOBJ command is used to create a usable copy of the IBM-supplied model file for the SV Type of Journal Entries. Once the usable copy of the IBM model file is created with CRTDUPOBJ, the command DSPJRN is used to extract the SV journal entries from QAUDJRN and place them into our copy of the IBM model output file, thereby letting us use simple query tools or download to Excel to evaluate the System Value Change events.

There IS Another, and Possibly Better, Way

While this is one way to extract the data and place it into a usable format, IBM has also provided an alternative method, which you might choose over the two-step method I use in the Feature Article.

In release V5R4, IBM introduced the CL command Copy Audit Journal Entries (CPYAUDJRNE). The command, in effect, replaces the older Display Audit Journal Entries (DSPAUDJRNE) command, which only let you print a list of the QAUDJRN journal entries; and the printed list is often missing key data elements from the journal entry.

CPYAUDJRNE helps you extract data from the system audit journal (QAUDJRN) and place that data into an entry-specific output file. It would be nice if the new command had the same filtering capability as the more capable DSPJRN command. It lets you filter only by journal entry type, user, journal receivers or from-date/time to-date/time.

The DSPJRN command allows additional selection criteria over CPYAUDJRNE, such as Program name and Job that caused the System Value change. However, if you do not need that extra filtering, I recommend using CPYAUDJRNE over DSPJRN.

The output file(s) created by the CPYAUDJRNE command is journal-entry–type specific, so you end up with the same result as explained in my Feature article that uses the two-step approach.

Here's an example of using CPYAUDJRNE to extract the SV (System Value Change) entries for the date and time period specified in the command.

             FROMTIME('05/19/2012' '04:00:00')
             TOTIME('05/20/2012' '04:00:00')

This command creates an output file named A0512SV, which contains the SV entries for the time period. You can then use IBM's Query or another query tool to present the data the way you want it. For example, to list all the System Value Changes for that time period, you could use the command:


You can review The 6.1 CPYAUDJRNE command documentation here.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Tool Selection & Configuration
Customized Security Programming

SEA On Demand Learning

Live Training from The 400 School

IBM i System Administration Jun 25-29

IBM i System Operations Jul 16-19

IBM i Security Workshop Aug 21-24

Send your IBM i Security Related News and Events!           Sponsor the Security Newsletter

© Copyright 2012 -, all rights reserved | St Louis MO 63017