Security management for journals

 

You can use journal management to provide an audit trail of changes that were made to your objects. You can determine which program or user made changes to objects by using the journal entries.

By specifying the FIXLENDTA parameter of the Change Journal (CHGJRN) or Create Journal (CRTJRN) commands you can specify that the following data is included in the journal entry:

• The job name.

• The effective user profile name.

• The program name.

• The program library name and the auxiliary storage pool device name that contains the program library.

• The system sequence number. The system sequence number gives a relative sequence to all journal entries in all journal receivers on the system.

• The remote address, the address family and the remote port.

• The thread identifier. The thread identifier helps distinguish between multiple threads running in the same job.

• The logical unit of work identifier. The logical unit of work identifies work related to specific commit cycles.

• The transaction identifier. The transaction identifier identifies transactions related to specific commit cycles.

For database physical files, you can determine what changes were made to specific records by using the Compare Journal Images (CMPJRNIMG) command. However, you cannot use the CMPJRNIMG command for journal entries that have minimized entry-specific data. If you specified the MINENTDTA(*FILE) or MINENTDTA(*FLDBDY) parameter on the Create Journal (CRTJRN) or Change Journal (CHGJRN) commands, you might have minimized entry-specific data.

Use Journal management to provide an audit trail because of the following reasons:

• No one, even the security officer, can remove or change the journal entries.

• Journal entries represent a chronological sequence of events.

• Each journal entry in the system is sequentially numbered without gaps until the CHGJRN command resets the sequence number.

  When you display the journal entries, there can be gaps in the sequence numbers because some journal entries are only used internally by the system. These gaps occur if you are using commitment control, database file journaling, or access-path journaling. To view the entries in the gaps, you can use the INCHIDENT parameter on the Display Journal (DSPJRN) command.

• The journal contains entries that indicate when each journal receiver was changed and the name of the next journal receiver in the chain.

• Whenever journaling for an object is ended or whenever an object is restored an entry is written.

Remember that the date and time recorded in the journal entries depends on the date and time entered during an IPL and therefore, may not represent the actual date and time. Also, if you use shared files, the program name that appears in the journal entry is the name of the program that first opened the shared file.

A special journal, that is called the audit (QAUDJRN) journal, can provide a record of many security-relevant events that occur on the system.

 

Parent topic:

Managing journals

Related concepts
Security

Related information
iSeries Security Reference PDF