110 lines
6.6 KiB
HTML
110 lines
6.6 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Set up security auditing" />
|
|||
|
<meta name="abstract" content="This article describes how to set up security auditing, explains why it is important, and provides step-by-step instructions. The system collects security events in the QAUDJRN journal." />
|
|||
|
<meta name="description" content="This article describes how to set up security auditing, explains why it is important, and provides step-by-step instructions. The system collects security events in the QAUDJRN journal." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="setsecaudit" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Set up security auditing</title>
|
|||
|
</head>
|
|||
|
<body id="setsecaudit"><a name="setsecaudit"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Set up security auditing</h1>
|
|||
|
<div><p>This article describes how to set up security auditing, explains
|
|||
|
why it is important, and provides step-by-step instructions. The system collects
|
|||
|
security events in the QAUDJRN journal.</p>
|
|||
|
<div class="p">Setting up auditing requires *AUDIT special authority. To set up security
|
|||
|
auditing, do the following steps:<ol><li>Create a journal receiver in a library of your choice by using the Create
|
|||
|
Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB
|
|||
|
for journal receivers.<pre>CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) +
|
|||
|
TEXT(’Auditing Journal Receiver’)</pre>
|
|||
|
<ul><li>Place the journal receiver in a library that is saved regularly. Do not
|
|||
|
place the journal receiver in library QSYS, even though that is where the
|
|||
|
journal will be.</li>
|
|||
|
<li>Choose a journal receiver name that can be used to create a naming convention
|
|||
|
for future journal receivers, such as AUDRCV0001. You can use the *GEN option
|
|||
|
when you change journal receivers to continue the naming convention. Using
|
|||
|
this type of naming convention is also useful if you choose to have the system
|
|||
|
manage changing your journal receivers.</li>
|
|||
|
<li>Specify a receiver threshold appropriate to your system size and activity.
|
|||
|
The size you choose should be based on the number of transactions on your
|
|||
|
system and the number of actions you choose to audit. If you use system change-journal
|
|||
|
management support, the journal receiver threshold must be at least 100 000
|
|||
|
KB.</li>
|
|||
|
<li>Specify *EXCLUDE on the AUT parameter to limit access to the information
|
|||
|
stored in the journal.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li>Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command:<pre>CRTJRN JRN(QSYS/QAUDJRN) +
|
|||
|
JRNRCV(JRNLIB/AUDRCV0001) +
|
|||
|
MNGRCV(*SYSTEM) DLTRCV(*NO) +
|
|||
|
AUT(*EXCLUDE) TEXT(’Auditing Journal’)</pre>
|
|||
|
<ul><li>The name QSYS/QAUDJRN <em>must</em> be used.</li>
|
|||
|
<li>Specify the name of the journal receiver you created in the previous step. </li>
|
|||
|
<li>Specify *EXCLUDE on the AUT parameter to limit access to the information
|
|||
|
stored in the journal. You must have authority to add objects to QSYS to create
|
|||
|
the journal.</li>
|
|||
|
<li>Use the Manage receiver (MNGRCV) parameter to have the system change the
|
|||
|
journal receiver and attach a new one when the attached receiver exceeds the
|
|||
|
threshold specified when the journal receiver was created. If you choose this
|
|||
|
option, you do not have to use the CHGJRN command to detach receivers and
|
|||
|
create and attach new receivers manually.</li>
|
|||
|
<li>Do not have the system delete detached receivers. Specify DLTRCV(*NO),
|
|||
|
which is the default. The QAUDJRN receivers are your security audit trail.
|
|||
|
Ensure that they are adequately saved before deleting them from the system.</li>
|
|||
|
</ul>
|
|||
|
</li>
|
|||
|
<li>Set the audit level (QAUDLVL) system value or the audit level extension
|
|||
|
(QAUDLVL2) system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2
|
|||
|
system values determine which actions are logged to the audit journal for
|
|||
|
all users on the system.</li>
|
|||
|
<li>Set action auditing for individual users if necessary using the CHGUSRAUD
|
|||
|
command.</li>
|
|||
|
<li>Set object auditing for specific objects if necessary using the CHGOBJAUD
|
|||
|
and CHGDLOAUD commands.</li>
|
|||
|
<li>Set object auditing for specific users if necessary using the CHGUSRAUD
|
|||
|
command.</li>
|
|||
|
<li>Set the QAUDENDACN system value to control what happens if the system
|
|||
|
cannot access the audit journal.</li>
|
|||
|
<li>Set the QAUDFRCLVL system value to control how often audit records are
|
|||
|
written to auxiliary storage.</li>
|
|||
|
<li>Start auditing by setting the QAUDCTL system value to a value other than
|
|||
|
*NONE.</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL
|
|||
|
system value to a value other than *NONE. When you start auditing, the system
|
|||
|
attempts to write a record to the audit journal. If the attempt is not successful,
|
|||
|
you receive a message and auditing does not start.</div>
|
|||
|
<div class="p">For more information, see the following topics in the <a href="../rzahg/rzahgsecref.htm">iSeries™ Security
|
|||
|
Reference</a>:<ul class="simple"><li><span class="q">"Planning the Auditing of Actions"</span></li>
|
|||
|
<li><span class="q">"Planning the Auditing of Object Access"</span></li>
|
|||
|
<li><span class="q">"Audit End Action"</span></li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|