With security auditing, you can collect information
about security events in the QAUDJRN journal.
Overview:
- Purpose:
- Set up the system to collect security events in the QAUDJRN journal.
- How To:
-
CRTJRNRCV
CRTJRN QSYS/QAUDJRN
WRKSYSVAL *SEC
CHGOBJAUD
CHGDLOAUD
CHGUSRAUD
- Authority:
-
*ADD authority to QSYS and to journal
receiver library
*AUDIT special authority
- Journal Entry:
-
CO (create object)
SV (system value change)
AD (object and user audit changes)
- Note:
- QSYS/QAUDJRN must exist before QAUDCTL can be changed, otherwise the system
auditing function doesn't know the journal name and won't find it.
To set up security auditing, do the following
steps. You need *AUDIT special authority to complete these steps.
- Create
a journal receiver in a library of your choice by using the Create Journal
Receiver (CRTJRNRCV) command. This example uses a library
called JRNLIB for journal receivers.
CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) +
THRESHOLD(100000) AUT(*EXCLUDE) +
TEXT('Auditing Journal Receiver')
- Place the journal receiver in a library
that is saved regularly. Do not place the journal receiver
in library QSYS, even though that is where the journal will be.
- Choose a journal receiver name that can be used to create a
naming convention for future journal receivers, such as AUDRCV0001. You can
use the *GEN option when you change journal receivers to continue the naming
convention.
It's very helpful to using this type of naming convention
if you choose to have the system manage changing your journal receivers.
- Specify a receiver threshold appropriate to your system size
and activity. The size you choose should be based on the number of transactions
on your system and the number of actions that you choose to audit. If you
use system change-journal management support, the journal receiver thresholds
must be at least 100 000 KB. For more information about journal receiver
threshold, refer to Journal
management.
- Specify *EXCLUDE on the AUT parameter to limit access to the
information that is stored in the journal.
- Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN)
command:
CRTJRN JRN(QSYS/QAUDJRN) +
JRNRCV(JRNLIB/AUDRCV0001) +
MNGRCV(*SYSTEM) DLTRCV(*NO) +
AUT(*EXCLUDE) TEXT('Auditing Journal')
- The name QSYS/QAUDJRN must be used.
- Specify the name of the journal receiver that you created in the previous
step.
- Specify *EXCLUDE on the AUT parameter to limit access to the information
stored in the journal. You must have authority to add objects to QSYS to create
the journal.
- Use the Manage receiver (MNGRCV) parameter to have
the system change the journal receiver and attach a new one when the attached
receiver exceeds the threshold specified in the creation of the journal receiver.
If you choose this option, you do not need to use the CHGJRN command to detach
receivers and create and attach new receivers manually.
- Do not have the system delete detached receivers. Specify DLTRCV(*NO),
which is the default. The QAUDJRN receivers are your security audit trail.
Make sure that they are adequately saved before deleting them from the system.
The Journal
management topic provides more information about working with journals
and journal receivers.
- Set the audit level (QAUDLVL) system value or the audit level extension
(QAUDLVL2) system value by using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2
system values determine which actions are logged to the audit journal for
all users on the system. See Planning the auditing of actions.
- If necessary, set action auditing for individual users by using
the CHGUSRAUD command. See Planning the auditing of actions.
- If necessary, set object auditing for specific objects by using
the CHGOBJAUD, CHGAUD, and CHGDLOAUD commands. See Planning the auditing of object access.
- If necessary, set object auditing for specific users by using the
CHGUSRAUD command.
- Set the QAUDENDACN system value to control what happens if the
system cannot access the audit journal. See Audit end action.
- Set the QAUDFRCLVL system value to control how often audit records
are written to auxiliary storage. See Preventing loss of auditing information.
- Start auditing by setting the QAUDCTL system value to a value other
than *NONE.
The QSYS/QAUDJRN journal must exist before you
can change the QAUDCTL system value to a value other than *NONE. When you
start auditing, the system attempts to write a record to the audit journal.
If the attempt is not successful, you receive a message and the auditing
does not start.