Checking security on IBM i systems: the Audit Journal
We know well that information systems must be made secure, but we also know that it must also be checked, to understand if the tools used are adequate and configured in the best possible way.
Monitoring security means understanding what is happening on systems at all times, both to comply with regulations and (more importantly) to be notified as soon as possible in the event of incorrect or fraudulent operations on business data. You can have the systems perfectly functioning and performing, but without a security check, you still risk serious damage on what is most precious in the company, the data.
Checking the security of IBM i systems: the Audit Journal
In this article we will not start with the description of what journals are within IBM i systems, but we will make a few considerations enough. The journals on the as400 system are divided into:
data journals: logs that collect what happens on system data
audit journal: log that collects what happens on the system
The difference between the audit journal and the data journals
The difference is very simple, the Audit journal is unique for a single partition and it must be created with a very specific name in a well-defined library:
QAUDJRN in the QSYS library
We will not deal here with the topic of "how to create and activate it" but we will remain in the monitoring topic and we will see how to check that it exists and that it is configured to the minimum necessary
To do this we will use the SQL services that IBM has made available since version 7.2 of the operating system
Check in SQL if the audit journal exists and is configured
select journal_name, journal_library, attached_journal_receiver_name, attached_journal_receiver_library,
journal_state,number_journal_receivers,
cast(cast(total_size_journal_receivers as decimal(10,3))/1000/1000 as decimal(10,3)) as GB
from QSYS2.JOURNAL_INFO
where journal_name='QAUDJRN'
If I find no records: Audit Journal does not exist
If I find a record but the journal_state field is different from * ACTIVE: Audit Journal exists but is disabled
If there is at least one record and the journal_state field equals * ACTIVE: Audit Journal existing and active
"If the Audit Journal is active, am I okay?"
Absolutely not, the Audit Journal must be configured to indicate what to log among the activities happening on the system. There are many events that the audit journal can record but it is necessary to tell them otherwise I would have an empty log and therefore useless
Let's see the entry types that an Audit Journal can contain and then let's see how to check which ones are already configured:
https://www.ibm.com/docs/en/i/7.4?topic=actions-security-auditing-journal-entries
Check the configuration of the Audit Journal
To do this, we look at the contents of some system values, which we always check in SQL
select system_value_name,current_character_value
from qsys2.SYSTEM_VALUE_INFO
where system_value_name='QAUDCTL' and current_character_value like '%*AUDLVL%'
an example:
If no record is obtained: Audit Journal not configured
If a record exists, but the current_character_value field does not contain the value *OBJAUD: Audit Journal not configured
If the record exists and the current_character_value field contains the value *OBJAUD, then I move on to the next check
select system_value_name,current_character_value
from qsys2.SYSTEM_VALUE_INFO
where system_value_name in ('QAUDLVL', 'QAUDLVL2')
order by system_value_name
If no record is obtained: Audit Journal not configured
If the first record has the current_character_value field equal to *NONE: Audit Journal not configured
If in the first record there is *AUDLVL2 or other, then I put together the values of the two cells current_character_value (excluding the possible *NONE of the second record) and I pass to the following checks
If the overall values of the two current_character_value contain *JOBDTA or *JOBBAS and *JOBCHGUSR, then the user accesses to the system, both batch and interactive, are recorded in the Audit Journal
If the overall values of the two current_character_value contain *AUTFAIL, then the incorrect accesses to the system are recorded in the Audit Journal (wrong passwords, disabled users, non-existent users, ...)
If the combined values of the two current_character_value contain *SECVFY or the value *SECURITY, then the swap accesses of the profile to another are recorded in the Audit Journal
If the combined values of the two current_character_value contain *SECCFG or the value *SECURITY, then the changes to the system values of the system are recorded in the Audit Journal
... and so on, I believe these are the most important values but many other actions can be recorded in the audit journal. For more details https://www.ibm.com/docs/en/i/7.4?topic=actions-security-auditing-journal-entries (from IBM web site)
How to read the audit journal in a complete way? It will be the subject of a future article ... good security at all 😉
Marco Moret Monitoring Project Manager at smeup ICS
You can also find the article on LinkedIn
All articles
Writers Manager: Monitor and manage printers with SQL
Checking security on IBM i systems: the Audit Journal
The first JDBC connection from C# to IBM i
JTOpen, develop applications in .Net for IMB i
DB2 for i: manage dates in SQL
Get system info in SQL
Manage, analyze and control your Systems IBM i
Download, install and use in seconds
IBM i Monitoring Facility - Check is completely free until the end of the month