Watching Your Super Users

By Rich Loeber

Every IBM i shop has a few super users that you, as security officer, have to be concerned about. For one reason or another, a few user profiles just have to have full access to your system. This tip will show you one way to check up on what these users are up to, using the system security journal.

For specific user profiles, you can implement additional security auditing that is over and above what your system is configured to capture. To make sure that your super users are not over stepping their bounds, you can set up the security journal to capture additional security events for these specific profiles.

To get started, you need to have the security journal active on your system. If it is not active, you can just run the Change Security Auditing (CHGSECAUD) command. Running the command with the defaults shipped with the OS will set up the security journal (QAUDJRN). By setting the default values to *NONE, you will limit what the security journal captures so you can experiment with tracking an individual user profile's activity. Of course, if you already have the security journal active and running on your system, you can skip this step and continue on with setting up the individual profile controls.

With the security audit journal active, you are now able to set up specific event controls at the user profile level. This is done using the Change User Auditing (CHGUSRAUD) command. Type this command in and use the F4 key to prompt for the parameters. For this tip, we'll concentrate on the "User action auditing" (AUDLVL) parameter and what things you can track at the user profile level. These include the following:

• *CMD - this setting will record command strings used by the profile in the journal for your review. With this setting, you can see what specific OS commands the super user is using and make sure that command line abuse is not happening.
• *CREATE - this setting will let you track all new objects created by the super user.
• *DELETE - using this setting, you can see when a super user deletes an object. Since this is a concern for super users, you can track it easily using this method.
• *OBJMGT - this setting tracks object renames and moves.
• *SAVRST - this setting lets you track save and restore operations by the super user.
• *SERVICE - this setting lets you track the super user's use of system service tools.
• *SPLFDTA - this setting lets you track actions taken on spool files.
• *SYSMGT - this setting tracks system management functions.
• .... more

Different levels of IBM's i/OS include a number of new/different functions that you mAY want to explore. The AUDLVL parameter accepts many more options thaN I've listed here. For your installation, you may find some of the other values of particular interest.

A nice side benefit of logging super user activity to the security journal is that it is a good proof for your auditors that super user profiles are being used responsibly. Every auditor I know of who knows what they are doing is concerned about what super users are up to. This method goes a long way to satisfy their requirements.

If you have any questions about anything included in this tip you can reach me at rich at kisco.com, All email messages will be answered as quickly as possible.