Use the security audit journal

The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system.

The information in the audit journals is used:

To detect attempted security violations.
To plan migration to a higher security level.
To monitor the use of sensitive objects, such as confidential files.

Commands are available to view the information in the audit journals in different ways. You can define auditing on your system at three different levels:

System-wide auditing that occurs for all users.
Auditing that occurs for specific objects.
Auditing that occurs for specific users.

When monitoring your security, the operating system can log security events which occur on your system. These events are recorded in special system objects called journal receivers. You can set up journal receivers to record different types of security events, such as changing a system value or user profile, or an unsuccessful attempt to access an object. The following values control which events are logged:

The audit control (QAUDCTL) system value
The audit level (QAUDLVL) system value
The audit level (AUDLVL) value in user profiles
The object auditing (OBJAUD) value in user profiles
The object auditing (OBJAUD) value in objects

Manage the audit journal and journal receivers

The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing. Objects should not be journaled to the audit journal. Commitment control should not use the audit journal. User entries should not be sent to this journal using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE) API.

Special locking protection is used to ensure that the system can write audit entries to the audit journal. When auditing is active (the QAUDCTL system value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal when auditing is active, such as:

DLTJRN command
ENDJRNxxx command
APYJRNCHG command
RMVJRNCHG command
DMPOBJ or DMPSYSOBJ command
Moving the journal
Restoring the journal
Operations that work with authority, such as the GRTOBJAUT command
WRKJRN command

The information recorded in the security journal entries is described in Security Reference book. All security entries in the audit journal have a journal code of T. In addition to security entries, system entries also appear in the journal QAUDJRN. These are entries with a journal code of J, which relate to initial program load (IPL) and general operations performed on journal receivers (for example, saving the receiver).

If damage occurs to the journal or to its current receiver so that the auditing entries cannot be journaled, the QAUDENDACN system value determines what action the system takes. Recovery from a damaged journal or journal receiver is the same as for other journals.

You may want to have the system manage the changing of journal receivers. Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically detaches the receiver when it reaches its threshold size and creates and attaches a new journal receiver. This is called system change-journal management.