Audit Journal Monitoring with QMessage Monitor

Audit Journal Monitoring

This is a step-by-step guide to implementing audit journal monitoring within QMessage Monitor. This feature allows you to monitor the QAUDJRN security journal in real time. When you configure the monitor to monitor the message queue MMAUDJRN in the QMessage Monitor installed library, it creates the MMAUDJRN queue automatically; however, system auditing needs to be set up manually, if required. The entries are turned into messages that can be seen in the message file MMAUDJRN. The command MMAJFMNT can be used to set up filters to limit the number of audit journal entries converted.

Create Journal Receiver

The first thing to do is manually set up the level of auditing that's required. In this example, we'll create a journal receiver called QAUDJRN001 in library QSYS:

Create Journal

We now have to create the journal. In this example, we'll create a journal called QAUDJRN in library QSYS:

Set Up Audit Control

We now have to set up the audit control by amending the value in system value QAUDCTL. This system value contains the on and off switches for object and user-level auditing.

In this example, we'll set the value to *AUDLVL and *NOQTEMP:

Review the System Value QUADLVL section below for further information.

Set Up Auditing Level

We now have to set up the auditing level by amending the value in system value QAUDLVL. This value controls the level of auditing on the system. In this example, we'll set the value to all those available:

We have now started auditing for all possible options on the system.

We now have to set up QMessage Monitor to receive the updates.

Review the System Value QUADLVL section below for further information.

Defining Audit Journal Filters

As the system can generate a large number of entries during certain operations, the MMAJFMNT program allows you to specify an initial filter. You can limit the types of records that are converted using this program. You can enter a combination of an E to exclude journal entries, or an I to include entries, together with the severity field that's used to select record types within the class. Audit records are converted to messages, which can be seen in the message file MMAUDJRN. Use the WRKMSGF to look at the messages and their severities.

For an Include Record, records are selected if their severity is greater than or equal to the entered value. For an Exclude Record, records are excluded if their severity is less than the entered value.

In the following example, a default filter for all systems has been created. The top section shows a number of excluded codes and the bottom section lists all the included codes. Additional detailed filters can be applied at a Message ID level (second tab), and also at a system level.

Defining the MMAUDJRN Message Queue

If you configure the MMAUDJRN message queue in the QMessage Monitor installed library, then the monitor will convert entries from the audit journal to messages in this queue. You can use the MMAJFMNT command to set up an initial filter (as previously mentioned) to reduce the number of entries converted; otherwise the number of messages generated can be very great.

The following screen shows the queue defined and operational on two systems:

The following screen shows the queue with some example messages:

Audit Journal Filters

Code	Description
**	All entries
AD	Auditing changes
AF	Authority failure
AP	Obtaining adopted authority
CA	Authority changes
CD	Command string audit
CO	Create object
CP	User profile changed, created, or restored
CQ	Change of *CRQD object
CU	Cluster Operations
CV	Connection verification
CY	Cryptographic Configuration
DI	Directory Services
DO	Delete object
DS	DST security password reset
EV	System environment variables
GR	Generic record
GS	Socket description was given to another job
IP	Interprocess Communication
IR	IP Rules Actions
IS	Internet security management
JD	Change to user parameter of a job description
JS	Actions that affect jobs
KF	Key ring file
LD	Link, unlink, or look up directory entry
ML	Office services mail actions
NA	Network attribute changed
ND	APPN directory search filter violation
NE	APPN end point filter violation
OM	Object move or rename
OR	Object restore
OW	Object ownership changed
O1	(Optical Access) Single File or Directory
O2	(Optical Access) Dual File or Directory
O3	(Optical Access) Volume
PA	Program changed to adopt authority
PG	Change of an object's primary group
PO	Printed output
PS	Profile swap
PW	Invalid password
RA	Authority change during restore
RJ	Restoring job description with user profile specified
RO	Change of object owner during restore
RP	Restoring adopted authority program
RU	Restoring user profile authority
RZ	Changing a primary group during restore
SD	Changes to system distribution directory
SE	Subsystem routing entry changed
SF	Actions to spooled files
SK	Secure sockets connections
SM	System management changes
SO	Server security user information actions
ST	Use of service tools
SV	System value changed
VA	Changing an access control list
VC	Starting or ending a connection
VL	Account limit exceeded
VN	Logging on and off the network
VP	Network password error
VU	Changing a network profile
VV	Changing service status

System Value: QAUDLVL

Security Auditing Level Options

This is a list of the security auditing level options for the system value QAUDLVL. They're described in detail in the following sections.

*AUTFAIL

*CREATE

*DELETE

*JOBDTA

*NETCMN

*OBJMGT

*OFCSRV

*OPTICAL

*PGMADP

*PGMFAIL

*PRTDTA

*SAVRST

*SECURITY

*SERVICE

*SPLFDTA

*SYSMGT

QAUDLVL - Controls the level of action auditing on the system.

If the QAUDLVL system value contains the value *AUDLVL2, then the values in the QAUDLVL2 system value will also be used. If the QAUDLVL system value does not contain the value *AUDLVL2, then the values in the QAUDLVL2 system value will be ignored. You must have *AUDIT special authority to change this system value. A change to this system value takes effect immediately for all jobs running on the system. The shipped value is *NONE.

The auditing options are described in the following sections.

*NONE

No security action auditing will occur on the system. This is the shipped value.

*AUDLVL2

Both QAUDLVL and QAUDLVL2 system values will be used to determine the security actions to be audited.

Note:

If you wish to use the QAUDLVL2 system value exclusively, set the QAUDLVL system value to *AUDLVL2 and add your auditing values to the QAUDLVL2 system value.
If you wish to use both system values, set your values in the QAUDLVL system value along with the *AUDLVL2 value, then add any additional values to the QAUDLVL2 system value.

*AUTFAIL

Authorization failures are audited. The following are some examples:

All access failures (sign-on, authorization, job submission)
Incorrect password or user ID entered from a device

*CREATE

All object creations are audited. The following are some examples. Note: Objects created in library QTEMP are not audited.

Newly created objects
Objects created to replace an existing object

*DELETE

All deletions of external objects on the system are audited. Note: Objects deleted from library QTEMP are not audited.

*JOBDTA

Actions that affect a job are audited. The following are some examples:

Job start and stop data
Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
Changing a thread's active user profile or group profiles

*NETBAS

Network base functions are audited. The following are some examples:

IP rules actions
Sockets connections
APPN Directory search filter
APPN end point filter

*NETCLU

Cluster or cluster resource group operations are audited. The following are some examples:

Add, create, and delete
Distribution
End
Fail over
List information
Removal
Start
Switch
Update attributes

*NETCMN

Networking and communications functions are audited. The following are some examples:

Network base functions (See *NETBAS)
Cluster or cluster resource group operations (See *NETCLU)
Network failures (See *NETFAIL)
Sockets functions (See *NETSCK)

Note:

*NETCMN is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *NETCMN. The following values make up *NETCMN:

*NETBAS
*NETCLU
*NETFAIL
*NETSCK

*NETFAIL

Network failures are audited. The following are some examples:

Socket port not available

*NETSCK

Sockets tasks are audited. The following are some examples:

Accept
Connect
DHCP address assigned
DHCP address not assigned
Filtered mail
Reject mail

*OBJMGT

Generic object tasks are audited. The following are some examples:

Moves of objects
Renames of objects

*OFCSRV

OfficeVision for AS/400 are audited. The following are some examples:

Changes to the system distribution directory
Tasks involving electronic mail

*OPTICAL

All optical functions are audited. The following are some examples:

Add or remove optical cartridge
Change the authorization list used to secure an optical volume
Open optical file or directory
Create or delete optical directory
Change or retrieve optical directory attributes
Copy, move, or rename optical file
Copy optical directory
Back up optical volume
Initialize or rename optical volume
Convert backup optical volume to a primary volume
Save or release held optical file
Absolute read of an optical volume

*PGMADP

Adopting authority from a program owner is audited.

*PGMFAIL

Program failures are audited. The following are some examples:

Blocked instruction
Validation value failure
Domain violation

*PRTDTA

Printing functions are audited. The following are some examples:

Printing a spooled file
Printing with parameter SPOOL(*NO)

*SAVRST

Save and restore information is audited. The following are some examples:

When programs that adopt their owner's user profile are restored
When job descriptions that contain user names are restored
When ownership and authority information changes for objects that are restored
When the authority for user profiles is restored
When a system state program is restored
When a system command is restored
When an object is restored

*SECCFG

Security configuration is audited. The following are some examples:

Create, change, delete, and restore operations of user profiles
Changes to programs (CHGPGM) that now adopt the owner's profile
Changes to system values, environment variables, and network attributes
Changes to subsystem routing
When the QSECOFR password is reset to the shipped value from DST
When the password for the service tools security officer user ID is requested to be defaulted.
Changes to the auditing attribute of an object

*SECDIRSRV

Changes or updates when doing directory service functions are audited. The following are some examples:

Audit change
Successful bind
Authority change
Password change
Ownership change
Successful unbind

*SECIPC

Changes to interprocess communications are audited. The following are some examples:

Ownership or authority of an IPC object changed
Create, delete, or get of an IPC object
Shared memory attach

*SECNAS

Network authentication service actions are audited. The following are some examples:

Service ticket valid
Service principals do not match
Client principals do not match
Ticket IP address mismatch
Decryption of the ticket failed
Decryption of the authenticator failed
Realm is not within client and local realms
Ticket is a replay attempt
Ticket not yet valid
Remote or local IP address mismatch
Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
KRB_AP_PRIV or KRB_AP_SAFE - timestamp error, replay error, sequence order error
GSS accept - expired credentials, checksum error, channel bindings
GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, sequence error

*SECRUN

Security run time functions are audited. The following are some examples:

Changes to object ownership
Changes to authorization list or object authority
Changes to the primary group of an object

*SECSCKD

Socket descriptors are audited. The following are some examples:

A socket descriptor was given to another job
Receive descriptor
Unable to use descriptor

*SECURITY

All security-related functions are audited.

Security configuration (See *SECCFG)
Changes or updates when doing directory service functions (See *SECDIRSRV)
Changes to interprocess communications (See *SECIPC)
Network authentication service actions (See *SECNAS)
Security run time functions (See *SECRUN)
Socket descriptor (See *SECSCKD)
Use of verification functions (See *SECVFY)
Changes to validation list objects (See *SECVLDL)

Note: *SECURITY is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *SECURITY. The following values make up *SECURITY.

*SECCFG
*SECDIRSRV
*SECIPC
*SECNAS
*SECRUN
*SECSCKD
*SECVFY
*SECVLDL

*SECVFY

Use of verification functions are audited. The following are some examples:

A target user profile was changed during a pass-through session
A profile handle was generated
All profile tokens were invalidated
Maximum number of profile tokens has been generated
A profile token has been generated
All profile tokens for a user have been removed
User profile authenticated
An office user started or ended work on behalf of another user

*SECVLDL

Changes to validation list objects are audited. The following are some examples:

Add, change, and remove of a validation list entry
Find of a validation list entry
Successful and unsuccessful verify of a validation list entry

*SERVICE

For a list of all the service commands and API calls that are audited, see the OS/400 Security Reference publication.

*SPLFDTA

Spooled file functions are audited. The following are some examples:

Create, delete, display, copy, hold, and release a spooled file
Get data from a spooled file (QSPGETSP)
Change spooled file attributes (CHGSPLFA command)

*SYSMGT

System management tasks are audited. The following are some examples:

Hierarchical file system registration
Changes for Operational Assistant functions
Changes to the system reply list
Changes to the DRDA relational database directory
Network file operations

Audit Journal Monitoring with QMessage Monitor