Townsend Security Data Privacy Blog

IBM i Security: Auditing Privileged Users, Applications, and Database Files

Posted by Patrick Townsend on Nov 3, 2016 9:21:51 AM

Excerpt from the eBook "IBM i Security: Event Logging & Active Monitoring - A Step By Step Guide."


IBM i Security: Event Logging & Active Monitoring

Audit Privelaged Users

Attackers attempt to gain privileged access to your IBM i system and as a privileged user can perform a wide variety of tasks on the IBM i server. As a privileged user, an attacker can steal sensitive data or damage your system. You should strongly consider enabling full user auditing of any user profile that has a high level of privilege. This should include the IBM user profile QSECOFR and any user with All Object (*ALLOBJ) or Audit (*AUDIT) capabilities. The commands executed by the audit user are logged to the QAUDJRN journal. You can identify privileged users by running an IBM security report:

   PRTUSRPRF TYPE(*AUTINFO)
   SPCAUT(*ALL)

Once you identify privileged users you can enable user auditing with the Change User Audit (CHGUSRAUD) command like this:

   CHGUSRAUD USRPRF(QSECOFR)
   OBJAUD(*ALL) AUDLVL(*AUTFAIL *CMD
   *PGMADP *NETCMN *PGMFAIL)

Note that you may want to increase or decrease the information you audit for privileged users. See the help for the command options.

Auditing Highly Sensitive Applications and Database Files

You should also consider enabling application and database access audit where sensitive data can be changed or where sensitive data is stored. For example, a core HR application that contains employee information, or a core ERP application that stores credit card information should be audited. Once you have a list of sensitive application programs and database files you can use the Change Object Audit (CHGOBJAUD) command to enable auditing. Audit records are sent directly to the QAUDJRN security journal.

   CHGOBJAUD OBJ(PRODLIB/ORD001)
   OBJTYPE(*PGM) OBJAUD(*ALL)

For IFS Files and directories you can use the Change Audit (CHGAUD) command like this:

   CHGAUD OBJ(‘/mydirectory’)
   OBJAUD(*ALL) SUBTREE(*ALL)
   SYMLNK(*YES)

For more information on auditing privelaged users, applications, and database files, as well as more information on IBM i event logging and active monitoring, download our ebook "IBM i Security: Event Logging & Active Monitoring - A Step By Step Guide."
IBM i

Topics: System Logging, IBM i, Alliance LogAgent