You don't want unauthorized people accessing your iSeries, so it's a good idea to monitor invalid log-on attempts. By doing so you can see who simply mistyped and who had no business trying to log in.
If you have turned on auditing and have at least *SECURITY specified in the QAUDLVL system value, you can check the security audit journal for all log-in attempts.
- Validating a user password on OS/400
- Password levels: What's right for you?
- Physical security challenges growing
The type of entry you want to look at are the "PW" entries. To make it easier to "harvest" this information from the audit journal, IBM ships a model outfile for each audit entry type. The files are in QSYS and have a naming convention of:
In that naming convention, xx is the entry type, in this case PW, and n is the journal type. (The higher the number, the more information in the entry.) If you're running V5R2, you can use type five, otherwise I recommend type four. The iSeries Security Reference manual, Appendix F contains the layout of each of the auditing model outfiles. The manual is available in PDF form on the IBM Information Center.
In this case, you'll want to create a duplicate object of the QSYS/QASYAFJ5 entry and then specify this on the OUTFILE parameter on the DSPJRN command as follows:
• CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
• DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') JRNCDE((T)) ENTTYP(PW) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/QASYPWJ5)
You can then look at the contents of the entire file or query to find the exact information you're looking for.
About the author: Carol Woodbury is president and co-founder of SkyView Partners Inc., a firm specializing in security consulting, remediation services and assessment software.