400 lines
22 KiB
HTML
400 lines
22 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Auditing system values: Activate action auditing" />
|
|
<meta name="abstract" content="Sets action auditing and specifies the auditing level for specific functions. (QAUDCTL, QAUDLVL, QAUDLVL2)" />
|
|
<meta name="description" content="Sets action auditing and specifies the auditing level for specific functions. (QAUDCTL, QAUDLVL, QAUDLVL2)" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakzqaudctlobjaud.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakzqaudctlnoqtemp.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakzfinder.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzakzqaudctlnoqtemp.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzakzqaudctlaudlvl" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Auditing system values: Activate action auditing</title>
|
|
</head>
|
|
<body id="rzakzqaudctlaudlvl"><a name="rzakzqaudctlaudlvl"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Auditing system values: Activate action auditing</h1>
|
|
<div><p>Sets action auditing and specifies the auditing level for specific
|
|
functions. (QAUDCTL, QAUDLVL, QAUDLVL2)</p>
|
|
<p><span class="uicontrol">Activate action auditing</span>, also known as <span class="uicontrol">QAUDCTL
|
|
(*AUDLVL) and QAUDLVL (*AUDLVL2)</span>, is a member of the auditing
|
|
of i5/OS™ system
|
|
values. You can use a combination of these system values to activate object-
|
|
or user-level auditing. To learn more, keep reading.</p>
|
|
|
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th colspan="2" valign="top" id="d0e34">Quick reference</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody><tr><td valign="top" headers="d0e34 "><strong>Location</strong></td>
|
|
<td valign="top" headers="d0e34 ">In iSeries™ Navigator,
|
|
select your system, <span class="menucascade"><span class="uicontrol"></span> > <span class="uicontrol">Configuration
|
|
and Service</span> > <span class="uicontrol">System Values</span> > <span class="uicontrol">Auditing
|
|
System Values</span> > <span class="uicontrol">System</span></span></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e34 "><strong>Special authority</strong></td>
|
|
<td valign="top" headers="d0e34 ">Audit (*AUDIT) <sup><a href="#rzakzqaudctlaudlvl__qaudlvl2">1</a></sup></td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e34 "><strong>Default value</strong></td>
|
|
<td valign="top" headers="d0e34 ">Deselected - action auditing is not activated</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e34 "><strong>Changes take effect</strong></td>
|
|
<td valign="top" headers="d0e34 ">Immediately</td>
|
|
</tr>
|
|
<tr><td valign="top" headers="d0e34 "><strong>Lockable</strong></td>
|
|
<td valign="top" headers="d0e34 ">Yes <a href="rzakzlocksecurity.htm"><br /><img src="rzakz503.gif" alt="Lockable system value" /><br /></a> (Click for details)</td>
|
|
</tr>
|
|
<tr><td colspan="2" valign="top" headers="d0e34 "><div class="note" id="rzakzqaudctlaudlvl__qaudlvl2"><a name="rzakzqaudctlaudlvl__qaudlvl2"><!-- --></a><span class="notetitle">Note 1:</span> To view this system value, you must have Audit (*AUDIT) or All
|
|
object (*ALLOBJ) special authority. To change this system value, you must
|
|
have Audit (*AUDIT) special authority.</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">What can I do with this system value?</h4><p>In the character-based
|
|
interface, you can specify *AUDLVL for the QAUDCTL system value. By specifying
|
|
*AUDLVL, you can use any of auditing actions in the QAUDLVL system value.
|
|
In addition, you can specify *AUDLVL2 for the QAUDLVL system value. This special
|
|
parameter (*AUDLVL2) allows you to specify more auditing actions. If the QAUDLVL
|
|
system value does not contain the value *AUDLVL2, then the system ignores
|
|
the values in the QAUDLVL2 system value.</p>
|
|
<p>In iSeries Navigator, you can select what
|
|
actions to audit without differentiating between QAUDLVL2 and QAUDLVL. There
|
|
is not a limit on how many actions you can audit. </p>
|
|
<p>You can specify several
|
|
values for <span class="uicontrol">Activate action auditing</span> (QAUDLVL and QAUDLVL2)
|
|
or none (*NONE). Your options include:</p>
|
|
<ul><li><img src="./delta.gif" alt="Start of change" /><span class="uicontrol">Attention events (*ATNEVT)</span><p>Use this
|
|
option to audit attention events. Attention events are conditions that require
|
|
further evaluation to determine the condition's security significance. Use
|
|
this option to audit attention events that occur on the system. This option
|
|
is available only on systems running i5/OS V5R4 or later.</p>
|
|
<img src="./deltaend.gif" alt="End of change" /></li>
|
|
<li><span class="uicontrol">Authorization failure (*AUTFAIL)</span> <p>Use this option
|
|
to audit unsuccessful attempts to sign on the system and to access objects.
|
|
Use authorization failures to regularly monitor users trying to perform unauthorized
|
|
functions on the system. You can also use authorization failures to assist
|
|
with migration to a higher security level and to test resource security for
|
|
a new application.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Communication and networking tasks (*NETCMN)</span> <p>Use
|
|
this option to audit violations detected by the APPN firewall. This value
|
|
also audits socket connections, directory search filter and endpoint filter
|
|
violations.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Job tasks (*JOBDTA)</span> <p>Use this option to audit
|
|
actions that affect a job, such as starting, stopping, holding, releasing,
|
|
canceling, or changing the job. Use job tasks to monitor who is running batch
|
|
jobs.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Object creation (*CREATE)</span> <p>Use this option to
|
|
audit the creation or replacement of an object. Use object creation to monitor
|
|
when programs are created or recompiled. Objects created into the QTEMP library
|
|
are not audited.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Object deletion (*DELETE)</span> <p>Use this option to
|
|
audit the deletion of all external objects on the system. Objects deleted
|
|
from the QTEMP library are not audited.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Object management (*OBJMGT)</span> <p>Use this option
|
|
to audit an object rename or move operation. Use object management to detect
|
|
copying confidential information by moving the object to a different library.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Object restore (*SAVRST)</span> <p>Use this option to
|
|
audit the save and restore information of an object. Use object restore to
|
|
detect attempts to restore unauthorized objects.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Office tasks (*OFCSRV)</span> <p>Use this option audits
|
|
the Office Vision <sup>(R)</sup> licensed program. This option audits changes
|
|
to the system distribution directory and opening of a mail log. Actions performed
|
|
on specific items in the mail log are not recorded. Use office tasks to detect
|
|
attempts to change how mail is routed or to monitor when another user's mail
|
|
log is opened.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Optical tasks (*OPTICAL)</span> <p>Use this option to
|
|
audit optical functions, such as adding or removing an optical cartridge or
|
|
changing the authorization list used to secure an optical volume. Other functions
|
|
include copying, moving, or renaming an optical file, saving or releasing
|
|
a held optical file, and so on.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Printing functions (*PRTDTA)</span> <p>Use this option
|
|
to audit the printing of a spooled file, printing directly from a program,
|
|
or sending a spooled file to a remote printer. Use printing functions to detect
|
|
printing confidential information.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Program adoption (*PGMADP)</span> <p>Use this option to
|
|
audit the use of adopted authority to gain access to an object. Use program
|
|
adoption to test where and how a new application uses adopted authority.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security tasks (*SECURITY)</span> <p>Use this option to
|
|
audit events related to security, such as changing a user profile or system
|
|
value. Use security tasks to detect attempts to circumvent security by changing
|
|
authority, auditing, or ownership of objects, by changing programs to adopt
|
|
their owner's authority, or by resetting the security officer's password.</p>
|
|
<p>By
|
|
selecting this option, you are also selecting to audit the following:</p>
|
|
<ul><li>Security configuration</li>
|
|
<li>Directory service functions</li>
|
|
<li>Security interprocess communications</li>
|
|
<li>Network authentication service actions</li>
|
|
<li>Security run time functions</li>
|
|
<li>Security socket descriptors</li>
|
|
<li>Verification functions</li>
|
|
<li>Validation list objects</li>
|
|
</ul>
|
|
</li>
|
|
<li><span class="uicontrol">Service tasks (*SERVICE)</span> <p>Use this option to
|
|
audit the use of system service tools, such as the Dump Object and Start Trace
|
|
commands. Use service tasks to detect attempts to circumvent security by using
|
|
service tools or collecting traces in which security sensitive data is retrieved.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Spool management (*SPLFDTA)</span> <p>Use this option
|
|
to audit actions performed on spooled files, including creating, copying,
|
|
and sending. Use spool management to detect attempts to print or send confidential
|
|
data.</p>
|
|
</li>
|
|
<li><span class="uicontrol">System integrity violations (*PGMFAIL)</span> <p>Use this
|
|
option to audit object domain integrity violations such as blocked instruction,
|
|
validation value failure, or domain violations. Use system integrity violation
|
|
to assist with migration to a higher security level or to test a new application.</p>
|
|
</li>
|
|
<li><span class="uicontrol">System management (*SYSMGT)</span> <p>Use this option
|
|
to audit system management activities, such as changing a reply list or the
|
|
power-on and -off schedule. Use system management to detect attempts to use
|
|
system management functions to circumvent security controls.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Network base tasks (*NETBAS)</span> <p>Use this option
|
|
to audit network base tasks. This option audits transactions on your network
|
|
of systems. The following are some example network base tasks that are audited:</p>
|
|
<ul><li>Changes to IP rules. For example, if someone creates an IP rule that blocks
|
|
traffic into or out of an IP interface, that action is audited.</li>
|
|
<li>Audit state changes of a VPN (Virtual Private Network) connection going
|
|
up or down. If the connection is up, the VPN connection is usable and communication
|
|
between the two systems is protected. If the connection is down, either the
|
|
communication is not protected or no communication is allowed at all.</li>
|
|
<li>Communication between sockets from one system to another</li>
|
|
<li>APPN directory search filter</li>
|
|
<li>APPN end point filter</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Network cluster tasks (*NETCLU)</span> <p>Use this option
|
|
to audit cluster or cluster resource group operations. An iSeries cluster
|
|
is a collection or group of one or more servers or logical partitions that
|
|
work together as a single server. Servers in a cluster are nodes. A cluster
|
|
resource group defines actions to take during a switch over or fail over.
|
|
The following are some example network cluster tasks that are audited when
|
|
you select this option:</p>
|
|
<ul><li>Adding, creating, or deleting a cluster node or cluster resource group
|
|
operation</li>
|
|
<li>Ending a cluster node or cluster resource group</li>
|
|
<li>Automatic failure of a system that switches access to another system</li>
|
|
<li>Removing a cluster node or cluster resource group</li>
|
|
<li>Starting a cluster node or resource group</li>
|
|
<li>Manually switching access from one system to another in a cluster</li>
|
|
<li>Updating a cluster node or cluster resource group</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Network failure (*NETFAIL)</span> <p>Use this option to
|
|
audit network failures. The following are some examples of network failures
|
|
that are audited when you select this option:</p>
|
|
<ul><li>Trying to connect to a TCP/IP port that does not exist</li>
|
|
<li>Trying to send information to a TCP/IP port that is not open or unavailable</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Network socket tasks (*NETSCK)</span> <p>Use this option
|
|
to audit socket tasks. A socket is an endpoint on a system that is used for
|
|
communication. In order for two systems to communicate, they need to connect
|
|
to each other's sockets. The following are examples of socket tasks that are
|
|
audited when you select this option: </p>
|
|
<ul><li>Accepting an inbound TCP/IP socket connection</li>
|
|
<li>Establishing an outbound TCP/IP socket connection</li>
|
|
<li>Assigning your system an IP address through DHCP (Dynamic Host Configuration
|
|
Protocol)</li>
|
|
<li>Inability to assign your system an IP address through DHCP because all
|
|
of the IP addresses are being used</li>
|
|
<li>Filtering mail. For example, when mail is set up to be filtered and a
|
|
message meets the criteria to be filtered, that message is audited.</li>
|
|
<li>Rejecting mail. For example, when mail is set up to be rejected from a
|
|
specific system, all mail attempts from that system are audited.</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security configuration (*SECCFG)</span> <p>Use this option
|
|
to audit security configuration. The following are some examples: </p>
|
|
<ul><li>Create, change, delete, and restore operations of user profiles</li>
|
|
<li>Changing programs (CHGPGM) to adopt the owner's profile</li>
|
|
<li>Changing system values, environment variables, and network attributes</li>
|
|
<li>Changing subsystem routing</li>
|
|
<li>Resetting the security officer (QSECOFR) password to the shipped value
|
|
from Dedicated Service Tools (DST)</li>
|
|
<li>Requesting the password for the service tools security officer user ID
|
|
to be defaulted</li>
|
|
<li>Changing the auditing attribute of an object</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security directory services (*SECDIRSRV)</span> <p>Use
|
|
this option to audit changes or updates when doing directory service functions.
|
|
The directory service function allows users to store files and objects. The
|
|
following are some actions performed using the directory service function
|
|
that are audited:</p>
|
|
<ul><li>Changing audit levels</li>
|
|
<li>Changing authorities</li>
|
|
<li>Changing passwords</li>
|
|
<li>Changing ownerships</li>
|
|
<li>Binding and unbinding successfully</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security interprocess communications (*SECIPC)</span> <p>Use
|
|
this option to audit changes to interprocess communications. The following
|
|
are some examples:</p>
|
|
<ul><li>Changing ownership or authority of an IPC object</li>
|
|
<li>Creating, deleting, or retrieving an IPC object</li>
|
|
<li>Attaching shared memory</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security network authentication services (*SECNAS)</span> <p>Use
|
|
this option to audit network authentication service actions. The following
|
|
are some examples: </p>
|
|
<ul><li>Service ticket valid</li>
|
|
<li>Service principals do not match</li>
|
|
<li>Client principals do not match</li>
|
|
<li>Ticket IP address mismatch</li>
|
|
<li>Decryption of the ticket failed</li>
|
|
<li>Decryption of the authenticator failed</li>
|
|
<li>Realm is not within client and local realms</li>
|
|
<li>Ticket is a replay attempt</li>
|
|
<li>Ticket not yet valid</li>
|
|
<li>Remote or local IP address mismatch</li>
|
|
<li>Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error</li>
|
|
<li>KRB_AP_PRIV or KRB_AP_SAFE - time stamp error, replay error, or sequence
|
|
order error</li>
|
|
<li>GSS accept - expired credentials, checksum error, or channel bindings</li>
|
|
<li>GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error,
|
|
or sequence error</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security run time tasks (*SECRUN)</span> <p>Use this option
|
|
to audit security run time functions. This option audits any actions that
|
|
are performed while a program is running. Run time changes occur more frequently
|
|
than changes not during run time. The following are some examples:</p>
|
|
<ul><li>Changing object ownership</li>
|
|
<li>Changing authorization list or object authority</li>
|
|
<li>Changing the primary group of an object</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security socket descriptors (*SECSCKD)</span> <p>Use this
|
|
option to audit the passing of socket or file descriptors between i5/OS jobs. The
|
|
descriptor is a 4-byte integer that points to an entry in a process descriptor
|
|
table. This table is a list of all socket and file descriptors that have been
|
|
opened by this process. Each entry in this table represents a single socket
|
|
or file that this process has opened. The following are some examples:</p>
|
|
<ul><li>Giving a socket or file descriptor to another job</li>
|
|
<li>Receiving a socket or file descriptor from another job</li>
|
|
<li>Inability to receive a socket or file descriptor that was passed to this
|
|
job. For example, the job that called the receive message command (recvmsg())
|
|
did not have enough authority or was not running the same user profile as
|
|
the job that had originally called the send message command (sendmsg()) when
|
|
the descriptor was passed.</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security verification (*SECVFY)</span> <p>Use this option
|
|
to audit verification functions. The following are some examples:</p>
|
|
<ul><li>Changing a target user profile during a pass-through session</li>
|
|
<li>Generating a profile handle</li>
|
|
<li>Invalidating a profile token</li>
|
|
<li>Generating the maximum number of profile tokens</li>
|
|
<li>Generating a profile token</li>
|
|
<li>Removing all profile tokens for a user</li>
|
|
<li>Removing user profile tokens for a user</li>
|
|
<li>Authenticating a user profile</li>
|
|
<li>Starting or ending work on behalf of another user</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Security validation tasks (*SECVLDL)</span> <p>Use this
|
|
option to audit validation list objects. A validation list object is used
|
|
to store data. The data is encrypted for security reasons. For example, you
|
|
may have a validation list that stores user names and passwords that are used
|
|
to control access to a Web page. A validation list is used rather than a database
|
|
file because the validation list is more secure because it only contains user
|
|
names and passwords rather than user profiles. The following are some example
|
|
tasks that are audited when this option is selected:</p>
|
|
<ul><li>Adding, changing, or removing a validation list entry</li>
|
|
<li>Accessing a validation list entry</li>
|
|
<li>Successful and unsuccessful verification of a validation list entry</li>
|
|
</ul>
|
|
<p>This option is available only on systems running i5/OS V5R3 or
|
|
later.</p>
|
|
</li>
|
|
<li><span class="uicontrol">Not available (*NOTAVL)</span> <p>This value is displayed
|
|
if the user does not have authority to view the auditing value. You cannot
|
|
set the system value to not available (*NOTAVL). This value is only displayed
|
|
when a user accessing the system value does not have either All object (*ALLOBJ)
|
|
or Audit (*AUDIT) special authority.</p>
|
|
</li>
|
|
</ul>
|
|
<div class="note"><span class="notetitle">Note:</span> To view this auditing system value, you must have All object (*ALLOBJ)
|
|
or Audit (*AUDIT) special authority. If you do not have the required authority,
|
|
the Auditing category is not displayed in iSeries Navigator. In addition, if you
|
|
access this system value in the character-based interface, a not available
|
|
(*NOTAVL) value is displayed.</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Where can I get more information about auditing system values?</h4><p>You
|
|
can also learn about these individual auditing system values that are associated
|
|
with system level auditing (QAUDCTL):</p>
|
|
<ul><li>Activate object auditing (*OBJAUD)</li>
|
|
<li>Do not audit objects in QTEMP (*NOQTEMP)</li>
|
|
</ul>
|
|
<p>To learn more, go to the auditing system values overview topic. If
|
|
you are looking for a specific system value or category of system values,
|
|
try using the i5/OS system
|
|
value finder.</p>
|
|
</div>
|
|
</div>
|
|
<div><div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzakzqaudctlobjaud.htm" title="(QAUDCTL *OBJAUD)">Auditing system values: Activate object auditing</a></div>
|
|
<div><a href="rzakzqaudctlnoqtemp.htm" title="(QAUDCTL *NOQTEMP)">Auditing system values: Do not audit objects in QTEMP</a></div>
|
|
</div>
|
|
<div class="relinfo"><strong>Related information</strong><br />
|
|
<div><a href="rzakzfinder.htm">System value finder</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |