Analyzing Security Audit Journal

15 pts.
Tags:
AS/400 audit
AS/400 journaling
AS/400 security
Security audits
V5R4
Hello, could you please tell me where can I find a book, guide or course about Tracking and Analizing Security Audit Journal on iSeries?  I have tried Appendix F on Security Guide but there are not all entries and it does not explain how to analize records in journal.  Thanks a lot

Software/Hardware used:
iSeries V5R4

Answer Wiki

Thanks. We'll let you know when a new response is added.

I would start with understanding how to extract information from QAUDJRN, here are couple links to help:

http://systeminetwork.com/article/extracting-information-qaudjrn
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/cl/cpyaudjrne.htm
http://systeminetwork.com/article/user-auditing-made-easier-addusraud-and-rmvusraud-commands

Now that you have your data, you can compare it to the values in Appendix F.

====================================================================

Appendix F of the Security Reference is the definitive guide to audit entries in QAUDJRN. If an entry isn’t listed, you’re using an out of date reference guide or IBM made a documentation error or you’re processing entries that aren’t audit entries (and probably shouldn’t be processed.) And, come to think of it, an additional possibility is an entry type that was added by a PTF after the publication date of the reference guide. A PTF cover letter should indicate a location for documentation.

If IBM made a documentation error, report it to them. They might point you to additional documentation. (I’d be surprised if you found an entry that they haven’t already covered.)

If you’re using an older reference guide, download a current one.

If you’re processing other entries (e.g., entries with journal codes other than ‘T’), then you might be on your own.

What entry codes do you need help with? Or are they entries with entry code ‘T’ but that have entry types that you don’t see in Appendix F?

Tom

Discuss This Question: 3  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Abigail
    Another site I use most often: http://publib.boulder.ibm.com/infocenter/iseries/v6r1m0/advanced/tocView.jsp?view=toc&topic=/rzarl/rzarlf77.htm&topic=/rzarl/rzarlf77.htm
    645 pointsBadges:
    report
  • Fabypaumc
    Hello, Thanks for your answer. The problem I have is that I am analizing DFU use, so I read "ZC" entries with program "QPDZDT". Everytime I have analized, I have found that *FILE objects were edited, but now I have found this entries in *OUTQ objects and I do not know how to understand that there could be DFU use over *OUTQ objects .
    15 pointsBadges:
    report
  • TomLiotta

    ...I do not know how to understand that there could be DFU use over *OUTQ objects .

    DFU typically creates a spooled report and places its entry onto an *OUTQ.

    Tom

    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following