We reduce and optimize the times of our activities

Checking security on IBM i systems: the Audit Journal


We know well that information systems must be made secure, but we also know that it must also be checked, to understand if the tools used are adequate and configured in the best possible way.
Monitoring security means understanding what is happening on systems at all times, both to comply with regulations and (more importantly) to be notified as soon as possible in the event of incorrect or fraudulent operations on business data. You can have the systems perfectly functioning and performing, but without a security check, you still risk serious damage on what is most precious in the company, the data.

Checking the security of IBM i systems: the Audit Journal

In this article we will not start with the description of what journals are within IBM i systems, but we will make a few considerations enough. The journals on the as400 system are divided into:
  • data journals: logs that collect what happens on system data
  • audit journal: log that collects what happens on the system

    The difference between the audit journal and the data journals
    The difference is very simple, the Audit journal is unique for a single partition and it must be created with a very specific name in a well-defined library:
    QAUDJRN in the QSYS library

    We will not deal here with the topic of "how to create and activate it" but we will remain in the monitoring topic and we will see how to check that it exists and that it is configured to the minimum necessary

    To do this we will use the SQL services that IBM has made available since version 7.2 of the operating system

    Check in SQL if the audit journal exists and is configured

    select journal_name, journal_library, attached_journal_receiver_name, attached_journal_receiver_library, journal_state,number_journal_receivers, cast(cast(total_size_journal_receivers as decimal(10,3))/1000/1000 as decimal(10,3)) as GB from QSYS2.JOURNAL_INFO where journal_name='QAUDJRN'​

  • If I find no records: Audit Journal does not exist
  • If I find a record but the journal_state field is different from * ACTIVE: Audit Journal exists but is disabled
  • If there is at least one record and the journal_state field equals * ACTIVE: Audit Journal existing and active

    "If the Audit Journal is active, am I okay?"
    Absolutely not, the Audit Journal must be configured to indicate what to log among the activities happening on the system. There are many events that the audit journal can record but it is necessary to tell them otherwise I would have an empty log and therefore useless

    Let's see the entry types that an Audit Journal can contain and then let's see how to check which ones are already configured:

    https://www.ibm.com/docs/en/i/7.4?topic=actions-security-auditing-journal-entries

    Check the configuration of the Audit Journal

    To do this, we look at the contents of some system values, which we always check in SQL

    select system_value_name,current_character_value from qsys2.SYSTEM_VALUE_INFO where system_value_name='QAUDCTL'​ and current_character_value like '​%*AUDLVL%'​

    an example:


  • If no record is obtained: Audit Journal not configured
  • If a record exists, but the current_character_value field does not contain the value *OBJAUD: Audit Journal not configured
  • If the record exists and the current_character_value field contains the value *OBJAUD, then I move on to the next check

    select system_value_name,current_character_value from qsys2.SYSTEM_VALUE_INFO where system_value_name in ('QAUDLVL'​, 'QAUDLVL2'​) order by system_value_name

  • If no record is obtained: Audit Journal not configured
  • If the first record has the current_character_value field equal to *NONE: Audit Journal not configured
  • If in the first record there is *AUDLVL2 or other, then I put together the values ​​of the two cells current_character_value (excluding the possible *NONE of the second record) and I pass to the following checks

  • If the overall values ​​of the two current_character_value contain *JOBDTA or *JOBBAS and *JOBCHGUSR, then the user accesses to the system, both batch and interactive, are recorded in the Audit Journal
  • If the overall values ​​of the two current_character_value contain *AUTFAIL, then the incorrect accesses to the system are recorded in the Audit Journal (wrong passwords, disabled users, non-existent users, ...)
  • If the combined values ​​of the two current_character_value contain *SECVFY or the value *SECURITY, then the swap accesses of the profile to another are recorded in the Audit Journal
  • If the combined values ​​of the two current_character_value contain *SECCFG or the value *SECURITY, then the changes to the system values ​​of the system are recorded in the Audit Journal

    ... and so on, I believe these are the most important values ​​but many other actions can be recorded in the audit journal. For more details https://www.ibm.com/docs/en/i/7.4?topic=actions-security-auditing-journal-entries (from IBM web site)

    How to read the audit journal in a complete way? It will be the subject of a future article ... good security at all 😉

    Marco Moret Monitoring Project Manager at smeup ICS
     You can also find the article on LinkedIn

    All articles
     Writers Manager: Monitor and manage printers with SQL
     Checking security on IBM i systems: the Audit Journal
     The first JDBC connection from C# to IBM i
     JTOpen, develop applications in .Net for IMB i
     DB2 for i: manage dates in SQL
     Get system info in SQL

    Manage, analyze and control your Systems IBM i
    Download, install and use in seconds
      IBM i Monitoring Facility - Check is completely free until the end of the month
    • Update cookies preferences