Auditing intrusion detection activities

 

It is important to audit intrusion detection activities. If the intrusion detection system flags a suspicious event, it writes an Intrusion Monitor (IM) audit record.

The audit record is written to the security audit journal whenever the QAUDCTL system value contains *AUDLVL and when either the QAUDLVL or QAUDLVL2 system value contains *ATNEVT.

To set *ATNEVT in the QAUDLVL2 system value, first set *AUDLVL2 in the QAUDLVL system value. To view the IM audit records, follow these steps:

1. To display all of the audit journals, type the following command from the command line:

   DSPJRN QAUDJRN

   If you find an audit record of type IM, that means that IDS has flagged a suspicious event. If no IM audit records are displayed, IDS has not detected any suspicious events. (To display only the IM audit records, issue the DSPJRN QAUDJRN ENTTYP(IM) command.)

2. Type 5 (Display Entire Entry) to view the contents of the IM audit record.

   Some fields in the IM record are in hexadecimal format. To view those hexadecimal fields, press F11 (Display hexadecimal format).

3. Report suspicious events to your systems administrator to take appropriate action, such as closing the port or locating the spoofed IP address.

Now, you are ready to analyze the IM audit records. The audit record is the only way of alerting a system administrator that a suspicious event has taken place.

 

Parent topic:

Intrusion detection

Related reference
Analyzing the auditing data