Kisco Systems

Kisco U

Monitoring user profiles

Home : Kisco U : Monitoring user profiles

After initial configuration of a user profile on your system, are you watching for updates to ensure your security scheme is being maintained over the profile's life?

Passive Audit

For passive audit of user profiles, use the system security audit journal.

  • Run the Display Audit Journal Entries (DSPAUDJRNE) command.
  • Audit journals are identified by a Journal Code and by an Entry Type.
  • Search for journal records for Journal Code T (Audit Trail records) and Entry Type CP (Create, change, restore user profiles). Use the F4 key to select the entry type code.
  • For user profile deletes, use T-DO records for objects with object type *USRPRF

For reporting, you can export security audit journal entries to a database:

  • Create an empty database file on your system using a system provided shell file for the CP journal records. For example, QASYCPJ4 in library QSYS.
    CRTDUPOBJ OBJ(QASYCPJ4) FROMLIB(QSYS) OBJTYPE(*FILE)
    TOLIB(QTEMP) NEWOBJ(TCPFILE)
  • This will create the file in your QTEMP library, but you can place it anywhere.
  • Use the Display Journal command (DSPJRN) with selected filters to move the data:
    DSPJRN JRN(QAUDJRN) RCVRNG(*CURCHAIN) JRNCDE((T))
    ENTTYP(CP) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE4)
    OUTFILE(QTEMP/TCPFILE)
  • The *CURCHAIN parameter will pull all information from all journal receivers for the security journal that are currently available.
  • The output file format of *TYPE4 will format the data correctly for the QASYCPJ4 shell file.
  • Use the rpeorting tool of your choice to analyze the data.

User Profiles in IBM i SQL services

The USER_INFO and USER_INFO_BASIC table functions provide most of the detail you need to extract baseline reports. IBM documentation.

See this sample query in ACS Run SQL Scripts:

This query returns a list of users with expired passwords:

select *
from QSYS2.USER_INFO_BASIC
where DAYS_UNTIL_PASSWORD_EXPIRES = 0
order by coalesce(PREVIOUS_SIGNON, current timestamp - 100 years) asc;

Our iEventMonitor product automates IBM i monitoring which makes this type of reporting and alerting very easy.

Real-time Monitoring

For critical or sensitive user profiles you may want more immediate, real-time notification of changes. You can use exit points for this. There are four key exit points to monitor:

  • QIBM_QSY_CRT_PROFILE - Create User Profile
  • QIBM_QSY_CHG_PROFILE - Change User Profile
  • QIBM_QSY_DLT_PROFILE - Delete User Profile (2 points, one before the other after)
  • QIBM_QSY_RST_PROFILE - Restore User Profile

Our iEventMonitor software supports this capability with built-in alerts for user profile changes.

In this example, an alert has been sent for a password change:

And for an invalid password attempt:

Custom user profile exit programs

Our product, SafeNet/i gives customers the ability to integrate their own exit point programs for several user profile exits in the IBM i OS. See the following screenshot for the exits in question.