Auditing system values: Activate action auditing

The Activate action auditing system value is also known as QAUDCTL (*AUDLVL) and QAUDLVL (*AUDLVL2). You can use this system value to set action auditing and specify the auditing level for specific functions.

You can use a combination of these system values to activate object-level or user-level auditing.

Quick reference
Location From IBM® Navigator for i, select Configuration and Service > System Values. Right-click on Auditing and click Properties, then switch to the System tab.
Special authority Audit (*AUDIT).
Notes:
  1. To view this system value, you must have Audit (*AUDIT) or All object (*ALLOBJ) special authority.

    If you do not have the required authority, the Auditing category is not displayed in IBM Navigator for i. If you access this system value in the character-based interface, the Not available (*NOTAVL) value is displayed.

  2. To change this system value, you must have Audit (*AUDIT) special authority.
Default value Deselected. Action auditing is not activated.
Changes take effect Immediately.
Lockable Yes.
Lockable system value
(See Lock function of security-related system values for details.)

What can I do with this system value?

In the character-based interface, you can specify *AUDLVL for the QAUDCTL system value. By specifying *AUDLVL, you can use any of the auditing actions in the QAUDLVL system value. In addition, you can specify *AUDLVL2 for the QAUDLVL system value. You can use this special parameter (*AUDLVL2) to specify more auditing actions. If the QAUDLVL system value does not contain the value *AUDLVL2, the system ignores the values in the QAUDLVL2 system value.

In IBM Navigator for i, you can select what actions to audit without differentiating between QAUDLVL2 and QAUDLVL. There is no limit on how many actions you can audit.

You can specify the following values for this system value:

Attention events (*ATNEVT)
Use this option to audit attention events. Attention events are conditions that require further evaluation to determine the condition's security significance. Use this option to audit attention events that occur on the system. This option is available only on systems running IBM i V5R4, or later.
Authorization failure (*AUTFAIL)
Use this option to audit unsuccessful attempts to sign on the system and to access objects. Use authorization failures to regularly monitor users trying to perform unauthorized functions on the system. You can also use authorization failures to assist with migration to a higher security level and to test resource security for a new application.
Communication and networking tasks (*NETCMN)
Use this option to audit violations detected by the APPN firewall. This value also audits socket connections, directory search filter and endpoint filter violations.
Job base tasks (*JOBBAS)
Use this option to audit job base functions; for example, job start and stop data. This option is not supported on systems running IBM i V5R4, or earlier.
Job tasks (*JOBDTA)
Use this option to audit actions that affect a job. Use job tasks to monitor who is running batch jobs. The Job tasks option is composed of the Job base tasks (*JOBBAS) value and the Job (thread level) profile changes (*JOBCHGUSR) value. If you specify both of these values, you get the same auditing as if you specified the Job tasks option. This option is not supported on systems running IBM i V5R4, or earlier.
Job (thread level) profile changes (*JOBCHGUSR)
Use this option to audit changes to a thread's active user profile or its group profiles.
Object creation (*CREATE)
Use this option to audit the creation or replacement of an object. Use object creation to monitor when programs are created or recompiled. Objects created into the QTEMP library are not audited.
Object deletion (*DELETE)
Use this option to audit the deletion of all external objects on the system. Objects deleted from the QTEMP library are not audited.
Object management (*OBJMGT)
Use this option to audit an object rename or move operation. Use object management to detect copying confidential information by moving the object to a different library.
Object restore (*SAVRST)
Use this option to audit the save and restore information of an object. Use object restore to detect attempts to restore unauthorized objects.
Office tasks (*OFCSRV)
Use this option to audit the OfficeVision licensed program. This option audits changes to the system distribution directory and the opening of a mail log. Actions performed on specific items in the mail log are not recorded. Use office tasks to detect attempts to change how mail is routed or to monitor when another user's mail log is opened.
Optical tasks (*OPTICAL)
Use this option to audit optical functions, such as adding or removing an optical cartridge or changing the authorization list used to secure an optical volume. Other functions include copying, moving, or renaming an optical file, saving or releasing a held optical file, and so on.
Printing functions (*PRTDTA)
Use this option to audit the printing of a spooled file, printing directly from a program, or sending a spooled file to a remote printer. Use printing functions to detect printing confidential information.
Program adoption (*PGMADP)
Use this option to audit the use of adopted authority to gain access to an object. Use program adoption to test where and how a new application uses adopted authority.
Program temporary fix (PTF) object changes (*PTFOBJ)
Use this option to audit changes to PTF objects. The following are some examples:
  • Library objects such as *PGM and *SRVPGM objects
  • Replaceable Unit (RU) objects for LIC PTFs
  • Integrated File System (IFS) objects
Program temporary fix (PTF) operations (*PTFOPR)
Use this option to audit PTF operations. The following are some examples:
  • Load, apply, or remove a PTF
  • Log or delete a PTF save file
  • Install PTFs using GO PTF or INSPTF command
Security tasks (*SECURITY)
Use this option to audit events related to security, such as changing a user profile or system value. Use security tasks to detect attempts to circumvent security by changing authority, auditing, or ownership of objects, by changing programs to adopt their owner's authority, or by resetting the security officer's password.

By selecting this option, you are also selecting to audit the following:

  • Security configuration
  • Directory service functions
  • Security interprocess communications
  • Network authentication service actions
  • Security run time functions
  • Security socket descriptors
  • Verification functions
  • Validation list objects
Service tasks (*SERVICE)
Use this option to audit the use of system service tools, such as the Dump Object and Start Trace commands. Use service tasks to detect attempts to circumvent security by using service tools or collecting traces in which security sensitive data is retrieved.
Spool management (*SPLFDTA)
Use this option to audit actions performed on spooled files, including creating, copying, and sending. Use spool management to detect attempts to print or send confidential data.
System integrity violations (*PGMFAIL)
Use this option to audit object domain integrity violations such as blocked instruction, validation value failure, or domain violations. Use system integrity violation to assist with migration to a higher security level or to test a new application.
System management (*SYSMGT)
Use this option to audit system management activities, such as changing a reply list or the power-on and -off schedule. Use system management to detect attempts to use system management functions to circumvent security controls.
Network base tasks (*NETBAS)
Use this option to audit network base tasks. This option audits transactions on your network of systems. The following are some example network base tasks that are audited:
  • Changes to IP rules. For example, if someone creates an IP rule that blocks traffic into or out of an IP interface, that action is audited.
  • Audit state changes of a VPN (Virtual Private Network) connection going up or down. If the connection is up, the VPN connection is usable and communication between the two systems is protected. If the connection is down, either the communication is not protected or no communication is allowed at all.
  • Communication between sockets from one system to another
  • APPN directory search filter
  • APPN end point filter

This option is available only on systems running IBM i V5R3, or later.

Network cluster tasks (*NETCLU)

Use this option to audit cluster or cluster resource group operations.

When you select this option, cluster or cluster resource group operations are audited, such as the following network cluster tasks:

  • Adding, creating, or deleting a cluster node or cluster resource group operation
  • Ending a cluster node or cluster resource group
  • Automatic failure of a system that switches access to another system
  • Removing a cluster node or cluster resource group
  • Starting a cluster node or resource group
  • Manually switching access from one system to another in a cluster
  • Updating a cluster node or cluster resource group

This option is available only on systems running IBM i V5R3, or later.

Network failure (*NETFAIL)
Use this option to audit network failures. The following are some examples of network failures that are audited when you select this option:
  • Trying to connect to a TCP/IP port that does not exist
  • Trying to send information to a TCP/IP port that is not open or unavailable

This option is available only on systems running IBM i V5R3, or later.

Network socket tasks (*NETSCK)
Use this option to audit socket tasks. A socket is an endpoint on a system that is used for communication. In order for two systems to communicate, they need to connect to each other's sockets. The following are examples of socket tasks that are audited when you select this option:
  • Accepting an inbound TCP/IP socket connection
  • Establishing an outbound TCP/IP socket connection
  • Assigning your system an IP address through DHCP (Dynamic Host Configuration Protocol)
  • Inability to assign your system an IP address through DHCP because all of the IP addresses are being used
  • Filtering mail. For example, when mail is set up to be filtered and a message meets the criteria to be filtered, that message is audited.
  • Rejecting mail. For example, when mail is set up to be rejected from a specific system, all mail attempts from that system are audited.

This option is available only on systems running IBM i V5R3, or later.

Security configuration (*SECCFG)
Use this option to audit security configuration. The following are some examples:
  • Create, change, delete, and restore operations of user profiles
  • Changing programs (CHGPGM) to adopt the owner's profile
  • Changing system values, environment variables, and network attributes
  • Changing subsystem routing
  • Resetting the security officer (QSECOFR) password to the shipped value from Dedicated Service Tools (DST)
  • Requesting the password for the service tools security officer user ID to be defaulted
  • Changing the auditing attribute of an object

This option is available only on systems running IBM i V5R3, or later.

Security directory services (*SECDIRSRV)
Use this option to audit changes or updates when doing directory service functions. The directory service function allows users to store files and objects. The following are some actions performed using the directory service function that are audited:
  • Changing audit levels
  • Changing authorities
  • Changing passwords
  • Changing ownerships
  • Binding and unbinding successfully

This option is available only on systems running IBM i V5R3, or later.

Security interprocess communications (*SECIPC)
Use this option to audit changes to interprocess communications. The following are some examples:
  • Changing ownership or authority of an IPC object
  • Creating, deleting, or retrieving an IPC object
  • Attaching shared memory

This option is available only on systems running IBM i V5R3, or later.

Security network authentication services (*SECNAS)
Use this option to audit network authentication service actions. The following are some examples:
  • Service ticket valid
  • Service principals do not match
  • Client principals do not match
  • Ticket IP address mismatch
  • Decryption of the ticket failed
  • Decryption of the authenticator failed
  • Realm is not within client and local realms
  • Ticket is a replay attempt
  • Ticket not yet valid
  • Remote or local IP address mismatch
  • Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
  • KRB_AP_PRIV or KRB_AP_SAFE - time stamp error, replay error, or sequence order error
  • GSS accept - expired credentials, checksum error, or channel bindings
  • GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, or sequence error

This option is available only on systems running IBM i V5R3, or later.

Security run time tasks (*SECRUN)
Use this option to audit security run time functions. This option audits any actions that are performed while a program is running. Run time changes occur more frequently than changes not during run time. The following are some examples:
  • Changing object ownership
  • Changing authorization list or object authority
  • Changing the primary group of an object

This option is available only on systems running IBM i V5R3, or later.

Security socket descriptors (*SECSCKD)
Use this option to audit the passing of socket or file descriptors between IBM i jobs. The descriptor is a 4-byte integer that points to an entry in a process descriptor table. This table is a list of all socket and file descriptors that have been opened by this process. Each entry in this table represents a single socket or file that this process has opened. The following are some examples:
  • Giving a socket or file descriptor to another job
  • Receiving a socket or file descriptor from another job
  • Inability to receive a socket or file descriptor that was passed to this job. For example, the job that called the receive message command (recvmsg()) did not have enough authority or was not running the same user profile as the job that had originally called the send message command (sendmsg()) when the descriptor was passed.

This option is available only on systems running IBM i V5R3, or later.

Security verification (*SECVFY)
Use this option to audit verification functions. The following are some examples:
  • Changing a target user profile during a pass-through session
  • Generating a profile handle
  • Invalidating a profile token
  • Generating the maximum number of profile tokens
  • Generating a profile token
  • Removing all profile tokens for a user
  • Removing user profile tokens for a user
  • Authenticating a user profile
  • Starting or ending work on behalf of another user

This option is available only on systems running IBM i V5R3, or later.

Security validation tasks (*SECVLDL)
Use this option to audit validation list objects. A validation list object is used to store data. The data is encrypted for security reasons. For example, you may have a validation list that stores user names and passwords that are used to control access to a Web page. A validation list is used rather than a database file because the validation list is more secure because it only contains user names and passwords rather than user profiles. The following are some example tasks that are audited when this option is selected:
  • Adding, changing, or removing a validation list entry
  • Accessing a validation list entry
  • Successful and unsuccessful verification of a validation list entry

This option is available only on systems running IBM i V5R3, or later.

Not available (*NOTAVL)
This value is displayed if the user does not have authority to view the auditing value. You cannot set the system value to Not available (*NOTAVL). This value is only displayed when a user accessing the system value does not have either All object (*ALLOBJ) or Audit (*AUDIT) special authority.