Here’s how to cut through the clutter in QAUDJRN and learn more

You hear the same complaints again and again: The security audit journal, QAUDJRN, contains too many entries. It’s too hard to make sense of all the details. Do you really care that you have 1592 program adopt entries one day, and only 450 the next? Do you need to copy the journal receiver to a database file every day? What exactly do all the different entry types mean?

The System i operating system provides commands that allow you to see the contents of the audit journal. The Display Audit Journal Entry (DSPAUDJRNE) command copies the entries to a display or report. However, the command has not been updated for a few years and it misses some of the newer entry types and formats. The Display Journal (DSPJRN) command can dump any journal receiver to an output file (database file). In both cases, the end result is an unformatted file that you can massage using your favorite query tool, such as SEQUEL.

The problem with both of these approaches is that they do not include other sources on the system that track jobs or users and their associated entries to create a complete audit trail.

To fully investigate a security event, you may need to look for information in QSYSOPR and QHST. In addition, the exit point history for critical servers such as FTP, ODBC, and JDBC, can provide valuable information. With all of these sources, you can more accurately piece together the trail for a job or user on the system.

Robot/SECURITY uncovers the transactions
Robot/SECURITY can take the security-related events for a date range, job, or user from multiple sources on the system and build exactly the output you desire. You can select from a list of potential system sources, such as QAUDJRN, QHST, and QSYSOPR (see Figure 1).

In addition, the Robot/SECURITY database contains usage data for common communication server exit points. It also maintains detailed log entries for user actions during profile exchange operations. You select the sources of information to include and your auditor gets a clear picture of what was accessed on the system.

From security sources to the detail
When you click Run, Robot/SECURITY interrogates your system to obtain the detailed entries. After all sources are checked, it displays the information in a graphical display directly on your PC. The entries are summarized by source type, including a counter of the number of entries from each source (see Figure 2).

(Click on screenshot above to see larger image.)

QAUDJRN is broken down by entry type for each audited area, such as PW (Password Failure) or AF (Authority Failure). Robot/SECURITY’s Forensics Analysis Utility offers a data filter that lets you limit the data shown to the entries that meet your criteria. For example, you can display only the entries related to a specific file or library.

Five-in-one convenience
Robot/SECURITY is really five security products in one package—forensics is just one part of the product. Give it a trial to see the other components: exit point monitoring, QAUDJRN monitoring, security auditing, and profile exchange.

Contributed by Tom Huntington, Vice President of Technical Services

This entry was posted on Wednesday, December 19th, 2007 at 10:07 am and is filed under Robot/SECURITY. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.