102 lines
6.3 KiB
HTML
102 lines
6.3 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="concept" />
|
|
<meta name="DC.Title" content="Use the security audit journal" />
|
|
<meta name="abstract" content="The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system." />
|
|
<meta name="description" content="The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzamvplansecauditing.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="usesecauditjournal" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Use the security audit journal</title>
|
|
</head>
|
|
<body id="usesecauditjournal"><a name="usesecauditjournal"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Use the security audit journal</h1>
|
|
<div><p>The security audit journal is the primary source of auditing information
|
|
on the system. A security auditor inside or outside your organization can
|
|
use the auditing function provided by the system to gather information about
|
|
security-related events that occur on the system.</p>
|
|
<div class="p">The information in the <strong>audit journals</strong> is used: <ul><li>To detect attempted security violations.</li>
|
|
<li>To plan migration to a higher security level.</li>
|
|
<li>To monitor the use of sensitive objects, such as confidential files.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">Commands are available to view the information in the audit journals in
|
|
different ways. You can define auditing on your system at three different
|
|
levels: <ul><li>System-wide auditing that occurs for all users.</li>
|
|
<li>Auditing that occurs for specific objects.</li>
|
|
<li>Auditing that occurs for specific users.</li>
|
|
</ul>
|
|
</div>
|
|
<div class="p">When monitoring your security, the operating system can log security events
|
|
which occur on your system. These events are recorded in special system objects
|
|
called <strong>journal receivers</strong>. You can set up journal receivers to record
|
|
different types of security events, such as changing a system value or user
|
|
profile, or an unsuccessful attempt to access an object. The following values
|
|
control which events are logged: <ul><li>The audit control (QAUDCTL) system value</li>
|
|
<li>The audit level (QAUDLVL) system value</li>
|
|
<li>The audit level (AUDLVL) value in user profiles</li>
|
|
<li>The object auditing (OBJAUD) value in user profiles</li>
|
|
<li>The object auditing (OBJAUD) value in objects</li>
|
|
</ul>
|
|
</div>
|
|
<p><strong>Manage the audit journal and journal receivers</strong></p>
|
|
<p>The auditing journal, QSYS/QAUDJRN, is intended solely for security auditing.
|
|
Objects should not be journaled to the audit journal. Commitment control should
|
|
not use the audit journal. User entries should not be sent to this journal
|
|
using the Send Journal Entry (SNDJRNE) command or the Send Journal Entry (QJOSJRNE)
|
|
API.</p>
|
|
<div class="p">Special locking protection is used to ensure that the system can write
|
|
audit entries to the audit journal. When auditing is active (the QAUDCTL system
|
|
value is not *NONE), the system arbitrator job (QSYSARB) holds a lock on the
|
|
QSYS/QAUDJRN journal. You cannot perform certain operations on the audit journal
|
|
when auditing is active, such as: <ul><li>DLTJRN command</li>
|
|
<li>ENDJRN<em>xxx</em> command</li>
|
|
<li>APYJRNCHG command</li>
|
|
<li>RMVJRNCHG command</li>
|
|
<li>DMPOBJ or DMPSYSOBJ command</li>
|
|
<li>Moving the journal</li>
|
|
<li>Restoring the journal</li>
|
|
<li>Operations that work with authority, such as the GRTOBJAUT command</li>
|
|
<li>WRKJRN command</li>
|
|
</ul>
|
|
</div>
|
|
<p>The information recorded in the security journal entries is described in
|
|
Security Reference book. All security entries in the audit journal have a
|
|
journal code of T. In addition to security entries, system entries also appear
|
|
in the journal QAUDJRN. These are entries with a journal code of J, which
|
|
relate to initial program load (IPL) and general operations performed on journal
|
|
receivers (for example, saving the receiver).</p>
|
|
<p>If damage occurs to the journal or to its current receiver so that the
|
|
auditing entries cannot be journaled, the QAUDENDACN system value determines
|
|
what action the system takes. Recovery from a damaged journal or journal receiver
|
|
is the same as for other journals.</p>
|
|
<p>You may want to have the system manage the changing of journal receivers.
|
|
Specify MNGRCV(*SYSTEM) when you create the QAUDJRN journal, or change the
|
|
journal to that value. If you specify MNGRCV(*SYSTEM), the system automatically
|
|
detaches the receiver when it reaches its threshold size and creates and attaches
|
|
a new journal receiver. This is called <span class="uicontrol">system change-journal management</span>.</p>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvplansecauditing.htm" title="Use this information to plan security auditing for your systems.">Plan security auditing</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |