Auditing security on System i

This section describes techniques for auditing the effectiveness of security on your system.

People audit their system security for several reasons:
  • To evaluate whether the security plan is complete.
  • To make sure that the planned security controls are in place and working. This type of auditing is performed by the security officer as part of daily security administration. It is also performed, sometimes in greater detail, as part of a periodic security review by internal or external auditors.
  • To make sure that system security is keeping pace with changes to the system environment. Some examples of changes that affect security are:
    • New objects created by system users
    • New users admitted to the system
    • Change of object ownership (authorization not adjusted)
    • Change of responsibilities (user group changed)
    • Temporary authority (not timely revoked)
    • New products installed
  • To prepare for a future event, such as installing a new application, moving to a higher security level, or setting up a communications network.

The techniques described in this section are appropriate for all of these situations. Which things you audit and how often depends on the size and security needs of your organization. The purpose of this section is to discuss what information is available, how to obtain it, and why it is needed, rather than to give guidelines for the frequency of audits.

This section has three parts:
  • A checklist of security items that can be planned and audited.
  • Information about setting up and using the audit journal provided by the system.
  • Other techniques that are available to gather security information about the system.

Security auditing involves using commands in the System i® environment and accessing log and journal information about the system. You might want to create a special profile to be used by someone doing a security audit of your system. The auditor profile will need *AUDIT special authority to be able to change the audit characteristics of your system. Some of the auditing tasks suggested in this section require a user profile with *ALLOBJ and *SECADM special authority. Make sure that you set the password for the auditor profile to *NONE when the audit period has ended.

Parent topic: Security reference
Related concepts:
Security audit journal