Detecting system changes made by outside IP address

Detecting system changes made by outside IP address

How can I get the User and IP of someone who is making changes to a file in the AS400 with an external program? For example, using the iSeries Navigator to make an SQL change to a table? I want to know how to obtain the user that logged in and their IP. I have a trigger to the table and I want to save a log for all those changes.

    Requires Free Membership to View

    Login

    Register today to access targeted resources from our editorial writers and independent industry experts including news, tips, and advice to help you do your job more efficiently and effectively. Stay informed on the hottest topics and biggest challenges faced by IT professionals working with iSeries products and services.

    By submitting your registration information to Search400.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of Search400.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Your trigger program doesn't have access to the location information for an external SQL request. However, you could use an Exit Point Program to intercept a transaction as it is connecting to your system and extract the source IP address information. For example: We have an Exit Point Program that interrogates all SQL initialization requests…

When a user attempts to access our server via SQL, this program extracts the information and deposits an entry like this into the system audit journal: 

Object . . . . . . . :                   Library  . . . . . . :         

Member . . . . . . . :                                                  

Incomplete data  . . :   No              Minimized entry data :   *NONE 

Sequence . . . . . . :   4547878677                                     

Code . . . . . . . . :   U  - User generated entry                      

Type . . . . . . . . :   NA -                                           

            Entry specific data                                         

Column      *...+....1....+....2....+....3....+....4....+....5          

00001      'OB172.017.000.242TOCISIN   *SQL      INIT      DBS'         

00051      'ERVER  LNS081100011200014TOCISIN   *SQL'

The IP address 172.017.000.242 and the User ID TOCISIN is now available to us for reporting purposes.

Developing Exit Point Programs can be a very complicated process. In our case we purchased and installed a product that provides Exit Point Programs for all of the available Exit Points that IBM has defined for the iSeries. This package also includes reporting functionality so we can easily determine who is accessing what on our system.

You can also define rules within this application to decide who can and who cannot access the system. If you want to keep track of who is accessing your iSeries system from the network, you will want to take a look at some of these Exit Point monitoring products. A Google search of "iSeries Network Security" will list several options, including how to write your own Exit Point Programs…

This was first published in September 2008

Back to top