ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvusesecauditjournal.htm

102 lines
6.3 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Use the security audit journal" />
<meta name="abstract" content="The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system." />
<meta name="description" content="The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="usesecauditjournal" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Use the security audit journal</title>
</head>
<body id="usesecauditjournal"><a name="usesecauditjournal"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Use the security audit journal</h1>
<div><p>The security audit journal is the primary source of auditing information
on the system. A security auditor inside or outside your organization can
use the auditing function provided by the system to gather information about
security-related events that occur on the system.</p>
<div class="p">The information in the <strong>audit journals</strong> is used: <ul><li>To detect attempted security violations.</li>
<li>To plan migration to a higher security level.</li>
<li>To monitor the use of sensitive objects, such as confidential files.</li>
</ul>
</div>
<div class="p">Commands are available to view the information in the audit journals in
different ways. You can define auditing on your system at three different
levels: <ul><li>System-wide auditing that occurs for all users.</li>
<li>Auditing that occurs for specific objects.</li>
<li>Auditing that occurs for specific users.</li>
</ul>
</div>
<div class="p">When monitoring your security, the operating system can log security events
which occur on your system. These events are recorded in special system objects
called <strong>journal receivers</strong>. You can set up journal receivers to record
different types of security events, such as changing a system value or user
profile, or an unsuccessful attempt to access an object. The following values
control which events are logged: <ul><li>The audit control (QAUDCTL) system value</li>
<li>The audit level (QAUDLVL) system value</li>
<li>The audit level (AUDLVL) value in user profiles</li>
<li>The object auditing (OBJAUD) value in user profiles</li>
<li>The object auditing (OBJAUD) value in objects</li>
</ul>
</div>
<p><strong>Manage the audit journal and journal receivers</strong></p>
<p>The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing.
Objects should not be journaled to the audit journal. Commitment control should
not use the audit journal. User entries should not be sent to this journal
using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE)
API.</p>
<div class="p">Special locking protection is used to ensure that the system can write
audit entries to the audit journal. When auditing is active (the QAUDCTL system
value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the
QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal
when auditing is active, such as: <ul><li>DLTJRN command</li>
<li>ENDJRN<em>xxx</em> command</li>
<li>APYJRNCHG command</li>
<li>RMVJRNCHG command</li>
<li>DMPOBJ or DMPSYSOBJ command</li>
<li>Moving the journal</li>
<li>Restoring the journal</li>
<li>Operations that work with authority, such as the GRTOBJAUT command</li>
<li>WRKJRN command</li>
</ul>
</div>
<p>The information recorded in the security journal entries is described in
Security Reference book. All security entries in the audit journal have a
journal code of T. In addition to security entries, system entries also appear
in the journal QAUDJRN. These are entries with a journal code of J, which
relate to initial program load (IPL) and general operations performed on journal
receivers (for example, saving the receiver).</p>
<p>If damage occurs to the journal or to its current receiver so that the
auditing entries cannot be journaled, the QAUDENDACN system value determines
what action the system takes. Recovery from a damaged journal or journal receiver
is the same as for other journals.</p>
<p>You may want to have the system manage the changing of journal receivers.
Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the
journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically
detaches the receiver when it reaches its threshold size and creates and attaches
a new journal receiver. This is called <span class="uicontrol">system change-journal management</span>.</p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>