After initial configuration of a user profile on your system, are you watching for updates to ensure your security scheme is being maintained over the profile's life?
Passive Audit
For passive audit of user profiles, use the system security audit journal.
For reporting, you can export security audit journal entries to a database:
CRTDUPOBJ OBJ(QASYCPJ4) FROMLIB(QSYS) OBJTYPE(*FILE)
TOLIB(QTEMP) NEWOBJ(TCPFILE)
DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) JRNCDE((T))
ENTTYP(CP) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE4)
OUTFILE(QTEMP/TCPFILE)
User Profiles in IBM i SQL services
The USER_INFO and USER_INFO_BASIC table functions provide most of the detail you need to extract baseline reports. IBM documentation.
See this sample query in ACS Run SQL Scripts:
This query returns a list of users with expired passwords:
select *
from QSYS2.USER_INFO_BASIC
where DAYS_UNTIL_PASSWORD_EXPIRES = 0
order by coalesce(PREVIOUS_SIGNON, current timestamp - 100 years) asc;
Real-time Monitoring
For critical or sensitive user profiles you may want more immediate, real-time notification of changes. You can use exit points for this. There are four key exit points to monitor:
Our iEventMonitor software supports this capability with built-in alerts for user profile changes.
In this example, an alert has been sent for a password change:
And for an invalid password attempt:
Custom user profile exit programs
Our product, SafeNet/i gives customers the ability to integrate their own exit point programs for several user profile exits in the IBM i OS. See the following screenshot for the exits in question.