Use this information to plan security auditing for your systems.
When monitoring your security, the operating system can log security events
which occur on your system. These events are recorded in special system objects
called journal receivers. You can set up journal receivers to record different
types of security events, such as changing a system value or user profile,
or an unsuccessful attempt to access an object. The following values control
which events are logged:
- The audit control (QAUDCTL) system value
- The audit level (QAUDLVL) system value
- The audit level (AUDLVL) value in user profiles
- The object auditing (OBJAUD) value in user profiles and objects
The information in the audit journals is used:
- To detect attempted security violations.
- To plan migration to a higher security level.
- To monitor the use of sensitive objects, such as confidential files.
Commands are available to view the information in the audit journals in
different ways.
The purpose of an audit is to detect and log activities that might compromise
the security of your system. When you choose to log actions that occur on
your systems, you might experience a trade-off in performance and, in some
cases, loss of disk space. If you decide to log security-related events on
your systems, the eServer™ Security
Planner will provide some recommendations about what level of auditing
you should do.
To plan the use of security auditing on your system, follow these steps:
- Use the eServer Security
Planner to see what it recommends about what level of auditing you should
do based on your system configuration and user requirements.
- Determine which security-relevant events you want to record for all system
users. The auditing of security-relevant events is called action
auditing.
- Check whether you need additional auditing for specific users.
- Decide whether you want to audit the use of specific objects on the system.
- Determine whether object auditing should be used for all users or specific
users.
The security audit journal is the primary source of auditing information
on the system. A security auditor inside or outside your organization can
use the auditing function provided by the system to gather information about
security-related events that occur on the system. You use system values, user
profile parameters, and object parameters to define auditing.
The security auditing function is optional. You must take specific steps
to set up security auditing.
You can define auditing on your system at three different levels:
- System-wide auditing that occurs for all users.
- Auditing that occurs for specific objects.
- Auditing that occurs for specific users.
When a security-related event that may be audited occurs, the system checks
whether you have selected that event for audit. If you have, the system writes
a journal entry in the current receiver for the security auditing journal
(QAUDJRN in library QSYS).
For information on planning the auditing of actions and auditing of object
access, see Chapter 9 of the iSeries™ Security Reference.