Every System i shop has a few super users that security officers need to be concerned about. For one reason or another, a few user profiles just have to have full access to your system. This tip will show you one way to check up on what these users are doing by using the system security journal.
For specific user profiles, you can set up additional security auditing over and above what your system is configured to capture. To make sure that your super users are not overstepping their bounds, you can set up the security journal to capture additional security events for these specific profiles.
To get started, you need to have the security journal active on your system. If it is not active, you can just run the change security auditing (CHGSECAUD) command. Running the command with the defaults shipped with the operating system will set up the security journal (QAUDJRN). By setting the default values to *NONE, you will limit what the security journal captures so you can experiment with tracking an individual users profile activity. Of course, if you already have the security journal active and running on your system, you can skip this step and continue on with setting up the individual profile controls.
With the security audit active, you are now able to set up specific event controls at the user profile level. This is done using the change user auditing (CHGUSRAUD) command. Type this command in and use the F4 key to prompt for the parameters. For this tip, we'll concentrate on the AUDLVL parameter and what things you can track at the user profile level. These include the following:
- *CMD - records command strings used by the profile in the journal for your review. With this setting, you can see what specific OS commands the super user is using and make sure that command line abuse is not happening.
- *CREATE - tracks all new objects created by the super user
- *DELETE - tracks object deletion by a super user. Because this is a concern for super users, you can track it easily using this method.
- *OBJMGT - tracks object renames and moves
- *SAVRST - tracks save and restore operations by the super user
- *SERVICE - tracks the super user's use of system service tools
- *SPLFDTA - tracks actions taken on spool files
- *SYSMGT - tracks system management functions
I see by reviewing information for i/OS 6.1 that there are a number of new functions also available that you might want to explore if you are running on that OS level. The AUDLVL parameter accepts many more options that I've listed here. For your installation, you may find some of the other values of particular interest.
A nice side benefit of logging super user activity to the security journal is that it is a good proof for your auditors that super user profiles are being used responsibly. Every auditor who knows what they are doing is concerned about what super users are up to. This method goes a long way to satisfy their requirements.
If you have any questions about anything included in this tip, or you would like the sample, you can reach me at firstname.lastname@example.org. All email messages will be answered as quickly as possible.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.