Interpreting security audit information

35 pts.
Tags:
AS/400
DataCenter
Security
Have switched auditing on for a specific directory in the IFS, information is being collected in the audit journal. Now, how do I actually interpret when a file is deleted? I gleaned I need to look for an LD journal type - when I do a test delete of a file is generates numerous LD types, but I haven't managed to find info on how to interpret which one is the actual deletion. Any ideas will be greatly appreciated.
ASKED: February 20, 2006  7:54 PM
UPDATED: December 7, 2013  2:45 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

The correct audit journal code for a deleted object whether it is iSeries or IFS is DO.

To dump the journal information into data base format, IBM has provided a series of PF’s in QSYS library named QASYxxJ4 where ‘xx’ is the audit journal code entry. For the DO entries you would do a CRTDUPOBJ of file QASYDOJ4 into a library. Best if you rename this so as not to cause problems. For this example lets say we call the new file JRNDO.

To dump the journal data do the following adding any other date selections etc:

DSPJRN JRN(QAUDJRN) ENTTYP(DO)
OUTPUT(*OUTFILE)OUTFILFMT(*TYPE4)
OUTFILE(JRNDO)

What you end up with is a DB formatted file that shows all delete operations on the system regardless of object type. I believe it excludes any QTEMP object deletes. For an IFS object there is a full path name field that shows the entire file name path.

This can be done for any of the journal codes.

Hope this helps.

==========================================================

As you already discovered, the correct entry type is LD (not) DO). But how did you learn about LD entries without learning the format?

Formats of all security entry types are described in Appendix F of the Security Reference manual for the OS version/release that you’re running. If that doesn’t tell you what you need to know, you either need to hire someone with the knowledge or use your IBM support contract to ask ‘usage’ questions. Beyond that, it’s experiment and experience.

Tom

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following