Manage Learn to apply best practices and optimize your operations.

How to check for invalid log-on attempts

You don't want unauthorized people accessing your iSeries, so it's a good idea to monitor invalid log-on attempts. By doing so you can see who simply mistyped and who had no business trying to log in.

You don't want unauthorized people accessing your iSeries, so it's a good idea to monitor invalid log-on attempts. By doing so you can see who simply mistyped and who had no business trying to log in.

If you have turned on auditing and have at least *SECURITY specified in the QAUDLVL system value, you can check the security audit journal for all log-in attempts.

The type of entry you want to look at are the "PW" entries. To make it easier to "harvest" this information from the audit journal, IBM ships a model outfile for each audit entry type. The files are in QSYS and have a naming convention of:

QASYxxJn

In that naming convention, xx is the entry type, in this case PW, and n is the journal type. (The higher the number, the more information in the entry.) If you're running V5R2, you can use type five, otherwise I recommend type four. The iSeries Security Reference manual, Appendix F contains the layout of each of the auditing model outfiles. The manual is available in PDF form on the IBM Information Center.

In this case, you'll want to create a duplicate object of the QSYS/QASYAFJ5 entry and then specify this on the OUTFILE parameter on the DSPJRN command as follows:

• CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)

• DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') JRNCDE((T)) ENTTYP(PW) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYPWJ5)

You can then look at the contents of the entire file or query to find the exact information you're looking for.

---------------------------
About the author: Carol Woodbury is president and co-founder of SkyView Partners Inc., a firm specializing in security consulting, remediation services and assessment software.
 

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close