Invalid login attempts in AS/400 SOX

5 pts.
Tags:
AS/400 SOX
SOX
SOX checklist
SOX compliance
Hi, for SOX auditing I need to provide Information Security with a daily list of failed login attempts (any server type) and actual logins for a list of sensitive accounts. Straightforward stuff on other platforms but I can't see how it can be done on i5/OS. I have seen a few references to doing this via system security auditing and have it configured but can't see what I should be searching for using DSPJRN and/or DSPAUDJRNE to give me the required output. Am I missing something simple or is this horribly complex? Thx.

Software/Hardware used:
V5R4

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    Invalid logon attempts should be logged in the system audit journal, QAUDJRN, with journal code 'T' and entry type 'PW'. Successful logons can be a little more difficult because of the number of ways that logons can occur. In many sites, the vast majority of "logons" occur through server interfaces. The DATABASE server, the FILE server and other host servers might see the majority of "logons". Their mostly likely logged entry of interest would be a QAUDJRN T/JS entry with a subtype of 'M'. The 'Effective User Profile' shows the server job changing to service the new profile that made the connection. You would usually be interested only in the entries that showed a difference between 'Job User Name' and the new 'Effective User Profile'. A T/JS entry can also be logged for telnet, if those are what you're interested in. They will have a subtype of 'S' for the start of the job and 'E' for the end of the job. If the application that is accessed through telnet does any profile swaps, the 'M' subtype should show up for that job. Profile swaps might be classified as 'logons' all by themselves. Each one of those is also explicitly logged in QAUDJRN with T/PS entries. Therefore you may see T/JS entries and T/PS entries for the same events if both types of auditing are enabled. All of what you might find in QAUDJRN is dependent on the auditing options that are enabled. If audits aren't enabled, then events won't be logged. Use the various QAUD* system values to enable or disable auditing. Tom
    125,585 pointsBadges:
    report
  • londonunixguy
    [...] Invalid login attempts in AS/400 SOX [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following