Planning security auditing

Use this information to plan security auditing for your systems.

When monitoring your security, the operating system can log security events which occur on your system. These events are recorded in special system objects called journal receivers. You can set up journal receivers to record different types of security events, such as changing a system value or user profile, or an unsuccessful attempt to access an object. The following values control which events are logged:

• The audit control (QAUDCTL) system value

• The audit level (QAUDLVL) system value

• The audit level (AUDLVL) value in user profiles

• The object auditing (OBJAUD) value in user profiles and objects

• To detect attempted security violations.

• To plan migration to a higher security level.

• To monitor the use of sensitive objects, such as confidential files.

Commands are available to view the information in the audit journals in different ways.

The purpose of an audit is to detect and log activities that might compromise the security of your system. When you choose to log actions that occur on your systems, you might experience a trade-off in performance and, in some cases, loss of disk space. If you decide to log security-related events on your systems, the eServer™ Security Planner will provide some recommendations about what level of auditing you should do.

To plan the use of security auditing on your system, follow these steps:

• Use the eServer Security Planner to see what it recommends about what level of auditing you should do based on your system configuration and user requirements.

• Determine which security-relevant events you want to record for all system users. The auditing of security-relevant events is called action auditing.

• Check whether you need additional auditing for specific users.

• Decide whether you want to audit the use of specific objects on the system.

• Determine whether object auditing should be used for all users or specific users.

The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system. You use system values, user profile parameters, and object parameters to define auditing.

The security auditing function is optional. You must take specific steps to set up security auditing.

You can define auditing on your system at three different levels:

• System-wide auditing that occurs for all users.

• Auditing that occurs for specific objects.

• Auditing that occurs for specific users.

When a security-related event that may be audited occurs, the system checks whether you have selected that event for audit. If you have, the system writes a journal entry in the current receiver for the security auditing journal (QAUDJRN in library QSYS).

For information on planning the auditing of actions and auditing of object access, see Chapter 9 of the iSeries™ Security Reference.

• Checklists for security auditing
  Use this checklist to plan and audit system security.

• Setting up security auditing
  This topic describes how to set up security auditing, explains why it is important, and provides step-by-step instructions. The system collects security events in the QAUDJRN journal.

• Using the security audit journal
  The security audit journal is the primary source of auditing information on the system. A security auditor inside or outside your organization can use the auditing function provided by the system to gather information about security-related events that occur on the system.

• Analyzing object authorities
  This topic describes how to analyze object authorities and provides step-by-step instructions.

• Analyzing programs that adopt authority
  This topic describes the step-by-step procedure for analyzing programs that adopt authority.

• Analyzing user profiles
  This topic describes how to analyze user profiles and provides step-by-step instructions.

• Auditing the security officer's actions
  A security officer or security administrator is responsible for the security on a system. A security officer has *ALLOBJ and *SECADM special authority.

Parent topic:

Related concepts
Security audits