× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2006

RE: Audit Journal Novice

Al

Take a look at GO SECTOOLS - opt 22 gives you a bit of a report on the security 
audit journal - you still need to go to Security Reference as Patrick Botz said 
to get what all the subtypes are.

Vern

-------------- Original message -------------- 
From: Al Mac <macwheel99@xxxxxxxxxxx> 


I get lots of education from the five and take on questions other people 
ask, then I dig into our system to correlate further. Couple questions of 
clarification for me: 

(a) Entries in the Audit Journal are not neccessarily a problem, rather 
they show unusual events that we probably ought to be aware of ... e.g. 
Hacker tried to get in but failed. 

(b) Tools to make it easier to evaluate the data ... we need to study the 
manuals, a lot, explore what we can get out of various commands, then after 
we get comfortable using whatever we learned, study the manuals again, a lot. 

I had originally started Security Auditing on our system because of 
conflicting stories regarding alleged BPCS Security Holes. Now, thanks to 
various new owners, managers mandates, there are more areas where we 
somewhat discomforted. Also some weird stuff intermittent, desire more 
info in context when it happens. 

Al Mac 
long time Jack of many 400 areas, Guru Master of not nearly enough 

Patrick wrote: 

Chad, 

The best way to find what auditing values are causing a particular entry is 
in the Security Reference manual in the info center. Expend Security and 
this manual can be selected. You can download the PDF or view it on line. 
On line viewing is pretty fast. 

Chapter 9 has the information you want. Just select that chapter from the 
bookmarks after you display it and scroll down. There are several tables. 
Because GR records can be cut due to several different Action and Object 
auditing settings, there is more than one of these values that may cause an 
entry (depending on the TYPE field in the GR record). Just look for "GR" 
in the second column of the table that starts on page 241 (the V5R4 version 
of the manual) and spans several pages. You'll find GR several times. 

I don't remember what I saw on the detailed entry that was posted to the 
forum, but I suspect that the entry was cut because someone tried to add, 
remove, or change the exit point program associated with the FTP exit point 
named in the GR record. This could be caused by at least one of the 
security related action auditing values or by turning object auditing on 
for the 
"QUSRSYS/QUSEXRGOBJ *EXITRG object " The info in the table should give you 
an idea of what to look for. 

Correction----- 
Upon further review, the "aside" in my previous post has been overturned! 
After investigating more details on Chad's question, I realized that the GR 
entries are NOT the ones we created for handling the development process 
problems (blush). Entries starting with "X" were created for this reason. 
So you were all witnesses to the second mistake I have ever made. It looks 
like it may be snowballing on me :-) 

Patrick Botz 
Senior Technical Staff Member 
IBM Lab Services, Rochester 
Security Architecture & Consulting, i5/OS Security Architect 
(507) 253-0917, T/L 553-0917 
CTC Fax # 507-253-2070 
email: botz@xxxxxxxxxx 

For more information on CTC, visit our website at 
http://www.ibm.com/eserver/services 
http://www.ibm.com/servers/eserver/services 



-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list 
To post a message email: MIDRANGE-L@xxxxxxxxxxxx 
To subscribe, unsubscribe, or change list options, 
visit: http://lists.midrange.com/mailman/listinfo/midrange-l 
or email: MIDRANGE-L-request@xxxxxxxxxxxx 
Before posting, please take a moment to review the archives 
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.