Here is your iSeries security tip for October, 2006 from SkyView Partners, Inc., World Class i5/OS and OS/400 Security Experts.

I have been asked the same question – How do I get information out of the i5/OS audit journal? – twice within the last week! So I thought that some of you may be wondering the same thing. The answer? There are two methods you can use. #1 - Run the DSPAUDJRNE command. The default is to look for the AF - or authority failure entries. The result is only a subset of the information from the AF audit journal entries. However, there is often enough information to determine what has caused a particular entry to be generated.

However, if you want more of the information that's in the audit journal entry or if you see *N as the object name (indicating that the object is in the IFS), then you must dump the audit journal entries to an outfile and query the results.

To do that, create a duplicate of the model outfile for the audit journal entry type CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE (*FILE) TOLIB(QTEMP) where xx is the audit journal entry type you're looking for - in your case of an authority failure, it would be "AF".

Then display the audit journal to an outfile DSPJRN JRN(QAUDJRN) FROMTIME('09/25/06') JRNCDE ((T)) ENTTYP(xx) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE (QTEMP/QASYxxJ5)

Now you can either display the file or query the results (my preferred method) and see all fields in the audit journal. V5R4 provides a command, CPYAUDJRNE which combines the create duplicate object and display journal into one command. The audit journal model outfiles are described in Appendix F of the iSeries Security Reference manual, available from the IBM Information Center.

Policy Minder Tip - Discover “new” items.

Starting your Christmas list?
You might want to add a 30- day free trial of the newest version of SkyView Policy Minder to your list!

Policy Minder version 1.2 offers some significant time-saving enhancements including:

Create templates to discover “new” items.

Using one of the new features of Policy Minder 1.2, many administrators are creating templates to discover “new” items on their systems. For example, to discover when a new library has been created on the system, they create a library template, include all libraries and set the “Allow new libraries” attribute to be *NO. Any new library created after taking an initial baseline check will be identified. Now you can discover the libraries created by installing vendor software, programmers creating duplicate libraries to test with, etc.

Administrators are using the “Allow new xxx” template attribute to manage many aspects of their system. Here are a few more examples:

• Creating a template for the objects in QGPL to discover what programmers are placing in the library.
• Creating a template for all user profiles having *ALLOBJ special authority to discover any new powerful profiles that get created or changed to change *ALLOBJ.
• Creating a template for the root (‘/’) directory to discover newly created directories.
• Identifying new items and cross- referencing these with their HA system to ensure their HA replication process is working as they expect.
• When migrating to a new system, creating user profile and object templates to identify new objects being created on the existing system so that they can also be created on the new system until the cut-over occurs.

Want to know more about SkyView Policy Minder? Join a free Webinar.

Are you overwhelmed with the details of managing your security policy compliance requirements? Let SkyView Policy Minder automate that process. IBM thought enough of SkyView products to certify them as ‘Server Proven” and as “i5/OS ready”.

Sincerely,