ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamv_5.4.0.1/rzamvsetsecaudit.htm

110 lines
6.6 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Set up security auditing" />
<meta name="abstract" content="This article describes how to set up security auditing, explains why it is important, and provides step-by-step instructions. The system collects security events in the QAUDJRN journal." />
<meta name="description" content="This article describes how to set up security auditing, explains why it is important, and provides step-by-step instructions. The system collects security events in the QAUDJRN journal." />
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="setsecaudit" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Set up security auditing</title>
</head>
<body id="setsecaudit"><a name="setsecaudit"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Set up security auditing</h1>
<div><p>This article describes how to set up security auditing, explains
why it is important, and provides step-by-step instructions. The system collects
security events in the QAUDJRN journal.</p>
<div class="p">Setting up auditing requires *AUDIT special authority. To set up security
auditing, do the following steps:<ol><li>Create a journal receiver in a library of your choice by using the Create
Journal Receiver (CRTJRNRCV) command. This example uses a library called JRNLIB
for journal receivers.<pre>CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) +
TEXT(Auditing Journal Receiver)</pre>
<ul><li>Place the journal receiver in a library that is saved regularly. Do not
place the journal receiver in library QSYS, even though that is where the
journal will be.</li>
<li>Choose a journal receiver name that can be used to create a naming convention
for future journal receivers, such as AUDRCV0001. You can use the *GEN option
when you change journal receivers to continue the naming convention. Using
this type of naming convention is also useful if you choose to have the system
manage changing your journal receivers.</li>
<li>Specify a receiver threshold appropriate to your system size and activity.
The size you choose should be based on the number of transactions on your
system and the number of actions you choose to audit. If you use system change-journal
management support, the journal receiver threshold must be at least 100 000
KB.</li>
<li>Specify *EXCLUDE on the AUT parameter to limit access to the information
stored in the journal.</li>
</ul>
</li>
<li>Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command:<pre>CRTJRN JRN(QSYS/QAUDJRN) +
JRNRCV(JRNLIB/AUDRCV0001) +
MNGRCV(*SYSTEM) DLTRCV(*NO) +
AUT(*EXCLUDE) TEXT(Auditing Journal)</pre>
<ul><li>The name QSYS/QAUDJRN <em>must</em> be used.</li>
<li>Specify the name of the journal receiver you created in the previous step. </li>
<li>Specify *EXCLUDE on the AUT parameter to limit access to the information
stored in the journal. You must have authority to add objects to QSYS to create
the journal.</li>
<li>Use the Manage receiver (MNGRCV) parameter to have the system change the
journal receiver and attach a new one when the attached receiver exceeds the
threshold specified when the journal receiver was created. If you choose this
option, you do not have to use the CHGJRN command to detach receivers and
create and attach new receivers manually.</li>
<li>Do not have the system delete detached receivers. Specify DLTRCV(*NO),
which is the default. The QAUDJRN receivers are your security audit trail.
Ensure that they are adequately saved before deleting them from the system.</li>
</ul>
</li>
<li>Set the audit level (QAUDLVL) system value or the audit level extension
(QAUDLVL2) system value using the WRKSYSVAL command. The QAUDLVL and QAUDLVL2
system values determine which actions are logged to the audit journal for
all users on the system.</li>
<li>Set action auditing for individual users if necessary using the CHGUSRAUD
command.</li>
<li>Set object auditing for specific objects if necessary using the CHGOBJAUD
and CHGDLOAUD commands.</li>
<li>Set object auditing for specific users if necessary using the CHGUSRAUD
command.</li>
<li>Set the QAUDENDACN system value to control what happens if the system
cannot access the audit journal.</li>
<li>Set the QAUDFRCLVL system value to control how often audit records are
written to auxiliary storage.</li>
<li>Start auditing by setting the QAUDCTL system value to a value other than
*NONE.</li>
</ol>
</div>
<div class="note"><span class="notetitle">Note:</span> The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL
system value to a value other than *NONE. When you start auditing, the system
attempts to write a record to the audit journal. If the attempt is not successful,
you receive a message and auditing does not start.</div>
<div class="p">For more information, see the following topics in the <a href="../rzahg/rzahgsecref.htm">iSeries™ Security
Reference</a>:<ul class="simple"><li><span class="q">"Planning the Auditing of Actions"</span></li>
<li><span class="q">"Planning the Auditing of Object Access"</span></li>
<li><span class="q">"Audit End Action"</span></li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
</div>
</div>
</body>
</html>