By Rich Loeber
Every IBM i shop has a few super users that you, as security officer, have to be concerned about. For one reason or another, a few user profiles just have to have full access to your system. This tip will show you one way to check up on what these users are up to, using the system security journal.
For specific user profiles, you can implement additional security auditing that is over and above what your system is configured to capture. To make sure that your super users are not over stepping their bounds, you can set up the security journal to capture additional security events for these specific profiles.
To get started, you need to have the security journal active on your system. If it is not active, you can just run the Change Security Auditing (CHGSECAUD) command. Running the command with the defaults shipped with the OS will set up the security journal (QAUDJRN). By setting the default values to *NONE, you will limit what the security journal captures so you can experiment with tracking an individual user profile's activity. Of course, if you already have the security journal active and running on your system, you can skip this step and continue on with setting up the individual profile controls.
With the security audit journal active, you are now able to set up specific event controls at the user profile level. This is done using the Change User Auditing (CHGUSRAUD) command. Type this command in and use the F4 key to prompt for the parameters. For this tip, we'll concentrate on the "User action auditing" (AUDLVL) parameter and what things you can track at the user profile level. These include the following:
Different levels of IBM's i/OS include a number of new/different functions that you mAY want to explore. The AUDLVL parameter accepts many more options thaN I've listed here. For your installation, you may find some of the other values of particular interest.
A nice side benefit of logging super user activity to the security journal is that it is a good proof for your auditors that super user profiles are being used responsibly. Every auditor I know of who knows what they are doing is concerned about what super users are up to. This method goes a long way to satisfy their requirements.
If you have any questions about anything included in this tip you can reach me at rich at kisco.com, All email messages will be answered as quickly as possible.