Checking up on a specific user
For some reason, my career in Information Technology frequently includes responsibility for the company telephone system. Oftentimes, I end up with a department head closeting himself in my office to obtain a report of telephone activity for an employee that he suspectes of some malfeasance. Most of the time when this comes up, I have the luxury of having the data already collected in a call-accounting software package and can just run a report and send the department head on his way.
In this day of heightened security consciousness, I can fully expect to see this scenario played out with data access as the expressed concern of this same department head. Unfortunately, software for full implementation of security reporting can be very pricey. But, if you just want to check up on someone, OS/400 has very good auditing capabilities that you can use down to the individual user level. And, you can do this without a major headache. You can target a specific user and leave the others out of it.
Setting up security journaling
OS/400 lets you track a lot of different system security events and you can explore all of these in the OS/400 Security Manual. For our purposes, however, all we're looking at it how to set up security auditing for an individual user.
If you have already used audit journaling, you can skip to the next heading in this tip.
To start security audit journaling, you can use the OS/400 CHGSECAUD. For our purposes, you can use the following command:
CHGSECAUD QAUDCTL(*OBJAUD *NOQTEMP *AUDLVL)
If your audit journal does not exist, this command will set up the journal receiver and create the system audit journal. Two system values will also be updated.
Journaling your user
Now you can start tracking your suspicious user. First, you'll want to start auditing for the specific user. You can do this with the following command:
CHGUSRAUD USRPRF(USERNAME) OBJAUD(*ALL)
You should key in this command and prompt it to see if there are additional events that you want to track in the AUDLVL parameter. You should probably include *CREATE and *DELETE options at a minimum.
The final step in your setup is to specify user audit tracking for the set of objects that you want to track for this user. You can do this with the CHGOBJAUD command. For user profile audit journaling to work, the objects must be set to OBJAUD(*USRPRF). This will let you track the user for the objects specified. There is also a corresponding command to set up tracking for Document Library Objects, if you are also interested in IFS activity for the user. That command is CHGDLOAUD.
Viewing the audit information
Once you have the audit journal active, you can view the tracking information on-line using the following command:
DSPJRN JRN(QAUDJRN)
If you have an active audit journal with a lot of activity for many users, you can limit the information displayed by using the USRPRF parameter.
As with all security matters within OS/400, this is tip just scratches the surface. You can see more information in the OS/400 Security manual.
Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, NY. The company is a provider of various security products for the iSeries 400 market.
Got a iSeries 400 security tip of your own? You can become famous immediately by sending your tip in. We'll post it on our Web site, and we'll enter you in our tips contest for some great prizes.
