Problem solve Get help with specific problems with your technologies, process and projects.

Things to watch out for when auditing IFS objects

What do you do if you need to audit an object in the IFS? iSeries security expert Carol Woodbury shows you.


Carol Woodbury
More Information

Today, at increasing rates, critical files containing private or confidential data are being placed in a directory...

in the integrated file system (IFS). Whether you are in an industry that requires auditing those files, you are trying to gather information to investigate inappropriate behavior, or you are trying to debug an authority failure, you may need to audit an object in the IFS.

Turning on auditing
To turn on auditing for an object in the IFS, you have to use a different command than you are used to using. The Change Object Auditing (CHGOBJAUD) command takes only the name of an object in a library. For an IFS object, you need to use the Change Auditing (CHGAUD) command. The same options are available as with CHGOBJAUD, with the exception of using a pathname rather than the object, library and object type parameters. (See Figure 1)

Figure 1: Use the Change Auditing command to turn on auditing for all object accesses of the SKYASSESS.RTF file in the /SKYVIEW directory.

Viewing the audit entries
Viewing the audit entries of an object in the IFS is not as simple as a library object. The Display Audit Journal Entry (DSPAUDJRNE) command has not been updated to accommodate objects named with a pathname. Rather than the object name, you see '*N', when you use DSPAUDJRNE. (See Figure 2) When you see this, you have no choice but to use the Display Journal (DSPJRN) command.

Figure 2: *N in the Object name field indicates that the object is named using a pathname.

While, with enough practice, it is possible to read the cryptic, "raw" output from the DSPJRN command, it is far easier to dump the audit journal entries into an outfile and look for the pathname in the pathname field, which is a 5002 byte field at the very end of the audit journal entry. (See Figure 3) For a complete listing of the layouts for each audit journal entry outfile, see Appendix F in the iSeries Security Reference manual.

Figure 3: Authority failure entries for user FRED to the '/home' and '/SKYVIEW' directories.

-----------------------------------
About the author: Carol Woodbury is president and co-founder of SkyView Partners LLC, a firm that specializes in security consulting, services and assessment software. Carol is the former Chief Security Architect for AS/400 for IBM in Rochester, Minn., and has specialized in security architecture, design and consulting for over 14 years. Carol speaks around the world on a variety of security topics and is co-author of the book, Experts' Guide to OS/400 and i5/OS Security available from Amazon.com.


Dig Deeper on Integrated File System (IFS)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close