IBM i system audit journals are sufficient to track user activity through terminal sessions, but with the proliferation of TCP/IP server functions in the OS users can access your system though FTP or IBM i Access with little or no trace left in the journal.
In certain cases, an audit journal record for "Process user profile swap" is left (a type PS record in the journal).
After a successful logon, IBM i Access does a user profile swap to the QUSER profile which gets logged in the journal. Scanning the journal for PS records could yield some information about which user profiles are establishing network connections using this method.
The System History Log also provides some indication about remote users connecting to your system using IBM i Access (and similar clients). Run the DSPLOG command to scan for the CPIAD09 message:
DSPLOG PERIOD((*AVAIL *BEGIN)) MSGID(CPIAD09)
These methods do not provide the complete, necessary remote access picture. The "exit point" is IBM's solution. For each of these servers (such as FTP, Telnet, SQL, TCP Signon and many more), the OS lets you create your own program to monitor and control connection requests.
Keep in mind...
Exit points are passive. The OS is shipped with no exit program in place and the fact that exit points even exist is still not widely known. In the mean time, all sorts of nefarious system connection activity can be going on and you, as security officer would never know it.
Coding and maintaining your own exit point solution can be a daunting task. Over the life of these exit points, some of the exit point data streams have changed significantly. To IBM's credit, they have left the old data stream in place and created a new exit point for the enhanced version, but you have to re-code your application to take advantage of the improvements when they are made.
We recommend our exit point software firewall, SafeNet/i for all your remote monitoring needs.
