Here is your iSeries security tip for October, 2006 from SkyView
Partners, Inc., World Class i5/OS and OS/400 Security Experts.
I have been asked the same question – How do I get information out
of the i5/OS audit journal? – twice within the last week! So I thought
that some of you may be wondering the same thing. The answer? There
are two methods you can use. #1 - Run the DSPAUDJRNE command. The
default is to look for the AF - or authority failure entries. The
result is only a subset of the information from the AF audit journal
entries. However, there is often enough information to determine what
has caused a particular entry to be generated.
However, if you want more of the information that's in the audit
journal entry or if you see *N as the object name (indicating that
the object is in the IFS), then you must dump the audit journal entries
to an outfile and query the results.
To do that, create a duplicate of the model outfile for the audit
journal entry type CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE (*FILE)
TOLIB(QTEMP) where xx is the audit journal entry type you're looking
for - in your case of an authority failure, it would be "AF".
Then display the audit journal to an outfile DSPJRN JRN(QAUDJRN)
FROMTIME('09/25/06') JRNCDE ((T)) ENTTYP(xx) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE (QTEMP/QASYxxJ5)
Now you can either display the file or query the results (my preferred
method) and see all fields in the audit journal. V5R4 provides a command,
CPYAUDJRNE which combines the create duplicate object and display
journal into one command. The audit journal model outfiles are described
in Appendix F of the iSeries Security Reference manual, available
from the IBM Information Center.
Want to know that your system EXACTLY matches your security policy
requirements?
Policy Minder Tip - Discover “new” items.
Starting
your Christmas list?
You might want to add a 30- day free trial of the newest version of
SkyView Policy Minder to your list!
Policy Minder version 1.2 offers some significant time-saving enhancements
including:
Create templates to discover “new” items.
Using one of the new features of Policy Minder 1.2, many administrators
are creating templates to discover “new” items on their systems. For
example, to discover when a new library has been created on the system,
they create a library template, include all libraries and set the
“Allow new libraries” attribute to be *NO. Any new library created
after taking an initial baseline check will be identified. Now you
can discover the libraries created by installing vendor software,
programmers creating duplicate libraries to test with, etc.
Administrators are using the “Allow new xxx” template attribute to
manage many aspects of their system. Here are a few more examples:
About the author
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing
in security compliance management and assessment software as well
as security services. Carol is the former chief security architect
for AS/400 for IBM in Rochester, Minnesota, and has specialized in
security architecture, design, and consulting for more than 15 years.
Carol speaks around the world on a variety of security topics and
is coauthor of the book Experts' Guide to OS/400 and i5/OS Security.
