Auditing system values: Activate action auditing

Sets action auditing and specifies the auditing level for specific functions. (QAUDCTL, QAUDLVL, QAUDLVL2)

Activate action auditing, also known as QAUDCTL (*AUDLVL) and QAUDLVL (*AUDLVL2), is a member of the auditing of i5/OS™ system values. You can use a combination of these system values to activate object- or user-level auditing. To learn more, keep reading.

Quick reference
Location	In iSeries™ Navigator, select your system, > Configuration and Service > System Values > Auditing System Values > System
Special authority	Audit (*AUDIT) ¹
Default value	Deselected - action auditing is not activated
Changes take effect	Immediately
Lockable	Yes (Click for details)
Note 1: To view this system value, you must have Audit (AUDIT) or All object (ALLOBJ) special authority. To change this system value, you must have Audit (*AUDIT) special authority.

What can I do with this system value?

In the character-based interface, you can specify *AUDLVL for the QAUDCTL system value. By specifying *AUDLVL, you can use any of auditing actions in the QAUDLVL system value. In addition, you can specify *AUDLVL2 for the QAUDLVL system value. This special parameter (*AUDLVL2) allows you to specify more auditing actions. If the QAUDLVL system value does not contain the value *AUDLVL2, then the system ignores the values in the QAUDLVL2 system value.

In iSeries Navigator, you can select what actions to audit without differentiating between QAUDLVL2 and QAUDLVL. There is not a limit on how many actions you can audit.

You can specify several values for Activate action auditing (QAUDLVL and QAUDLVL2) or none (*NONE). Your options include:

Attention events (*ATNEVT)
Use this option to audit attention events. Attention events are conditions that require further evaluation to determine the condition's security significance. Use this option to audit attention events that occur on the system. This option is available only on systems running i5/OS V5R4 or later.
Authorization failure (*AUTFAIL)
Use this option to audit unsuccessful attempts to sign on the system and to access objects. Use authorization failures to regularly monitor users trying to perform unauthorized functions on the system. You can also use authorization failures to assist with migration to a higher security level and to test resource security for a new application.
Communication and networking tasks (*NETCMN)
Use this option to audit violations detected by the APPN firewall. This value also audits socket connections, directory search filter and endpoint filter violations.
Job tasks (*JOBDTA)
Use this option to audit actions that affect a job, such as starting, stopping, holding, releasing, canceling, or changing the job. Use job tasks to monitor who is running batch jobs.
Object creation (*CREATE)
Use this option to audit the creation or replacement of an object. Use object creation to monitor when programs are created or recompiled. Objects created into the QTEMP library are not audited.
Object deletion (*DELETE)
Use this option to audit the deletion of all external objects on the system. Objects deleted from the QTEMP library are not audited.
Object management (*OBJMGT)
Use this option to audit an object rename or move operation. Use object management to detect copying confidential information by moving the object to a different library.
Object restore (*SAVRST)
Use this option to audit the save and restore information of an object. Use object restore to detect attempts to restore unauthorized objects.
Office tasks (*OFCSRV)
Use this option audits the Office Vision ^(R) licensed program. This option audits changes to the system distribution directory and opening of a mail log. Actions performed on specific items in the mail log are not recorded. Use office tasks to detect attempts to change how mail is routed or to monitor when another user's mail log is opened.
Optical tasks (*OPTICAL)
Use this option to audit optical functions, such as adding or removing an optical cartridge or changing the authorization list used to secure an optical volume. Other functions include copying, moving, or renaming an optical file, saving or releasing a held optical file, and so on.
Printing functions (*PRTDTA)
Use this option to audit the printing of a spooled file, printing directly from a program, or sending a spooled file to a remote printer. Use printing functions to detect printing confidential information.
Program adoption (*PGMADP)
Use this option to audit the use of adopted authority to gain access to an object. Use program adoption to test where and how a new application uses adopted authority.
Security tasks (*SECURITY)
Use this option to audit events related to security, such as changing a user profile or system value. Use security tasks to detect attempts to circumvent security by changing authority, auditing, or ownership of objects, by changing programs to adopt their owner's authority, or by resetting the security officer's password.

By selecting this option, you are also selecting to audit the following:
- Security configuration
- Directory service functions
- Security interprocess communications
- Network authentication service actions
- Security run time functions
- Security socket descriptors
- Verification functions
- Validation list objects
Service tasks (*SERVICE)
Use this option to audit the use of system service tools, such as the Dump Object and Start Trace commands. Use service tasks to detect attempts to circumvent security by using service tools or collecting traces in which security sensitive data is retrieved.
Spool management (*SPLFDTA)
Use this option to audit actions performed on spooled files, including creating, copying, and sending. Use spool management to detect attempts to print or send confidential data.
System integrity violations (*PGMFAIL)
Use this option to audit object domain integrity violations such as blocked instruction, validation value failure, or domain violations. Use system integrity violation to assist with migration to a higher security level or to test a new application.
System management (*SYSMGT)
Use this option to audit system management activities, such as changing a reply list or the power-on and -off schedule. Use system management to detect attempts to use system management functions to circumvent security controls.
Network base tasks (*NETBAS)
Use this option to audit network base tasks. This option audits transactions on your network of systems. The following are some example network base tasks that are audited:
- Changes to IP rules. For example, if someone creates an IP rule that blocks traffic into or out of an IP interface, that action is audited.
- Audit state changes of a VPN (Virtual Private Network) connection going up or down. If the connection is up, the VPN connection is usable and communication between the two systems is protected. If the connection is down, either the communication is not protected or no communication is allowed at all.
- Communication between sockets from one system to another
- APPN directory search filter
- APPN end point filter
This option is available only on systems running i5/OS V5R3 or later.
Network cluster tasks (*NETCLU)
Use this option to audit cluster or cluster resource group operations. An iSeries cluster is a collection or group of one or more servers or logical partitions that work together as a single server. Servers in a cluster are nodes. A cluster resource group defines actions to take during a switch over or fail over. The following are some example network cluster tasks that are audited when you select this option:
- Adding, creating, or deleting a cluster node or cluster resource group operation
- Ending a cluster node or cluster resource group
- Automatic failure of a system that switches access to another system
- Removing a cluster node or cluster resource group
- Starting a cluster node or resource group
- Manually switching access from one system to another in a cluster
- Updating a cluster node or cluster resource group
This option is available only on systems running i5/OS V5R3 or later.
Network failure (*NETFAIL)
Use this option to audit network failures. The following are some examples of network failures that are audited when you select this option:
- Trying to connect to a TCP/IP port that does not exist
- Trying to send information to a TCP/IP port that is not open or unavailable
This option is available only on systems running i5/OS V5R3 or later.
Network socket tasks (*NETSCK)
Use this option to audit socket tasks. A socket is an endpoint on a system that is used for communication. In order for two systems to communicate, they need to connect to each other's sockets. The following are examples of socket tasks that are audited when you select this option:
- Accepting an inbound TCP/IP socket connection
- Establishing an outbound TCP/IP socket connection
- Assigning your system an IP address through DHCP (Dynamic Host Configuration Protocol)
- Inability to assign your system an IP address through DHCP because all of the IP addresses are being used
- Filtering mail. For example, when mail is set up to be filtered and a message meets the criteria to be filtered, that message is audited.
- Rejecting mail. For example, when mail is set up to be rejected from a specific system, all mail attempts from that system are audited.
This option is available only on systems running i5/OS V5R3 or later.
Security configuration (*SECCFG)
Use this option to audit security configuration. The following are some examples:
- Create, change, delete, and restore operations of user profiles
- Changing programs (CHGPGM) to adopt the owner's profile
- Changing system values, environment variables, and network attributes
- Changing subsystem routing
- Resetting the security officer (QSECOFR) password to the shipped value from Dedicated Service Tools (DST)
- Requesting the password for the service tools security officer user ID to be defaulted
- Changing the auditing attribute of an object
This option is available only on systems running i5/OS V5R3 or later.
Security directory services (*SECDIRSRV)
Use this option to audit changes or updates when doing directory service functions. The directory service function allows users to store files and objects. The following are some actions performed using the directory service function that are audited:
- Changing audit levels
- Changing authorities
- Changing passwords
- Changing ownerships
- Binding and unbinding successfully
This option is available only on systems running i5/OS V5R3 or later.
Security interprocess communications (*SECIPC)
Use this option to audit changes to interprocess communications. The following are some examples:
- Changing ownership or authority of an IPC object
- Creating, deleting, or retrieving an IPC object
- Attaching shared memory
This option is available only on systems running i5/OS V5R3 or later.
Security network authentication services (*SECNAS)
Use this option to audit network authentication service actions. The following are some examples:
- Service ticket valid
- Service principals do not match
- Client principals do not match
- Ticket IP address mismatch
- Decryption of the ticket failed
- Decryption of the authenticator failed
- Realm is not within client and local realms
- Ticket is a replay attempt
- Ticket not yet valid
- Remote or local IP address mismatch
- Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
- KRB_AP_PRIV or KRB_AP_SAFE - time stamp error, replay error, or sequence order error
- GSS accept - expired credentials, checksum error, or channel bindings
- GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, or sequence error
This option is available only on systems running i5/OS V5R3 or later.
Security run time tasks (*SECRUN)
Use this option to audit security run time functions. This option audits any actions that are performed while a program is running. Run time changes occur more frequently than changes not during run time. The following are some examples:
- Changing object ownership
- Changing authorization list or object authority
- Changing the primary group of an object
This option is available only on systems running i5/OS V5R3 or later.
Security socket descriptors (*SECSCKD)
Use this option to audit the passing of socket or file descriptors between i5/OS jobs. The descriptor is a 4-byte integer that points to an entry in a process descriptor table. This table is a list of all socket and file descriptors that have been opened by this process. Each entry in this table represents a single socket or file that this process has opened. The following are some examples:
- Giving a socket or file descriptor to another job
- Receiving a socket or file descriptor from another job
- Inability to receive a socket or file descriptor that was passed to this job. For example, the job that called the receive message command (recvmsg()) did not have enough authority or was not running the same user profile as the job that had originally called the send message command (sendmsg()) when the descriptor was passed.
This option is available only on systems running i5/OS V5R3 or later.
Security verification (*SECVFY)
Use this option to audit verification functions. The following are some examples:
- Changing a target user profile during a pass-through session
- Generating a profile handle
- Invalidating a profile token
- Generating the maximum number of profile tokens
- Generating a profile token
- Removing all profile tokens for a user
- Removing user profile tokens for a user
- Authenticating a user profile
- Starting or ending work on behalf of another user
This option is available only on systems running i5/OS V5R3 or later.
Security validation tasks (*SECVLDL)
Use this option to audit validation list objects. A validation list object is used to store data. The data is encrypted for security reasons. For example, you may have a validation list that stores user names and passwords that are used to control access to a Web page. A validation list is used rather than a database file because the validation list is more secure because it only contains user names and passwords rather than user profiles. The following are some example tasks that are audited when this option is selected:
- Adding, changing, or removing a validation list entry
- Accessing a validation list entry
- Successful and unsuccessful verification of a validation list entry
This option is available only on systems running i5/OS V5R3 or later.
Not available (*NOTAVL)
This value is displayed if the user does not have authority to view the auditing value. You cannot set the system value to not available (*NOTAVL). This value is only displayed when a user accessing the system value does not have either All object (*ALLOBJ) or Audit (*AUDIT) special authority.

Note: To view this auditing system value, you must have All object (*ALLOBJ) or Audit (*AUDIT) special authority. If you do not have the required authority, the Auditing category is not displayed in iSeries Navigator. In addition, if you access this system value in the character-based interface, a not available (*NOTAVL) value is displayed.

Where can I get more information about auditing system values?

You can also learn about these individual auditing system values that are associated with system level auditing (QAUDCTL):

Activate object auditing (*OBJAUD)
Do not audit objects in QTEMP (*NOQTEMP)

To learn more, go to the auditing system values overview topic. If you are looking for a specific system value or category of system values, try using the i5/OS system value finder.