Planning the auditing of object access

The i5/OS operating system provides the ability to log accesses to an object in the security audit journal by using system values and the object auditing values for users and objects. This is called object auditing.

The QAUDCTL system value, the OBJAUD value for an object, and the OBJAUD value for a user profile work together to control object auditing. The OBJAUD value for the object and the OBJAUD value for the user who is using the object determine whether a specific access should be logged. The QAUDCTL system value starts and stops the object auditing function.

Table 1 shows how the OBJAUD values for the object and the user profile work together.

Table 1. How object and user auditing work together
OBJAUD value for object OBJAUD value for user
*NONE *CHANGE *ALL
*NONE None None None
*USRPRF None Change Change and Use
*CHANGE Change Change Change
*ALL Change and Use Change and Use Change and Use

You can use object auditing to keep track of all users that are accessing a critical object on the system. You can also use object auditing to keep track of all the object that are accessed by a particular user. Object auditing is a flexible tool that enables you to monitor those object accesses that are important to your organization.

Taking advantage of the capabilities of object auditing requires careful planning. Poorly designed auditing might generate many more audit records than you can analyze. This can have a severe effect on system performance. For example, setting the OBJAUD value to *ALL for a library results in an audit entry being written every time the system searches for an object in that library. For a heavily used library on a busy system, this would generate a very large number of audit journal entries.

Here are some examples of how to use object auditing.

  • If certain critical files are used throughout your organization, you can periodically review who is accessing them using a sampling technique:
    1. Set the OBJAUD value for each critical file to *USRPRF using the Change Object Auditing command: 
                            
                      Change Object Auditing (CHGOBJAUD)
 
Type choices, press Enter.
 
Object . . . . . . . . . . . . .   file-name
  Library  . . . . . . . . . . .     library-name
Object type  . . . . . . . . . .   *FILE
ASP device . . . . . . . . . . .   *
Object auditing value  . . . . .   *USRPRF
    2. Set the OBJAUD value for each user in your sample to *CHANGE or *ALL using the CHGUSRAUD command.
    3. Make sure the QAUDCTL system value includes *OBJAUD.
    4. When sufficient time has elapsed to collect a representative sample, set the OBJAUD value in the user profiles to *NONE or remove *OBJAUD from the QAUDCTL system value.
    5. Analyze the audit journal entries by using the techniques described in Analyzing audit journal entries with query or a program.
  • If you are concerned about who is using a particular file, you can collect information about all accesses to the file for a period of time:
    1. Set object auditing for the file independent of user profile values: 
      CHGOBJAUD OBJECT(library-name/file-name)
          OBJTYPE(*FILE)  OBJAUD(*CHANGE or *ALL)
    2. Make sure that the QAUDCTL system value includes *OBJAUD.
    3. When sufficient time has elapsed to collect a representative sample, set the OBJAUD value in the object to *NONE.
    4. Analyze the audit journal entries using the techniques described in Analyzing audit journal entries with query or a program.
  • To audit all object accesses for a specific user, do the following actions:
    1. Set the OBJAUD value for all objects to *USRPRF using the CHGOBJAUD and CHGAUD commands: 
                            
                      Change Object Auditing (CHGOBJAUD)
 
Type choices, press Enter.
 
Object . . . . . . . . . . . . .   *ALL
  Library . . . . . . . . . . . .  *ALLAVL
Object type  . . . . . . . . . .   *ALL
ASP device . . . . . . . . . . .   *
Object auditing value  . . . . .   *USRPRF
      Attention: Depending on how many objects are on your system, this command might take many hours to run. Setting up object auditing for all objects on the system often is not necessary and will severely degrade performance. Selecting a subset of object types and libraries for auditing is recommended.
    2. Set the OBJAUD value for the specific user profile to *CHANGE or *ALL using the CHGUSRAUD command.
    3. Make sure the QAUDCTL system value includes *OBJAUD.
    4. When you have collected a specific sample, set the OBJAUD value for the user profile to *NONE.
  • Displaying object auditing
    Use the DSPOBJD command to display the current object auditing level for an object. Use the DSPDLOAUD command to display the current object auditing level for a document library object.
  • Setting default auditing for objects
    You can use the QCRTOBJAUD system value and the CRTOBJAUD value for libraries and directories to set object auditing for newly created objects.
Parent topic: Planning security auditing
Related reference:
Object auditing