What are the various ways to audit powerful user profiles? (NETIQKB70319)

  • Document ID:7770319
  • Creation Date:21-May-2007
  • Modified Date:24-May-2007
    • Micro Focus Products:
      Security Solutions for iSeries

Resolution

Goal: What are the various ways to audit powerful user profiles?

Goal: How can I audit users with *ALLOBJ special authority?

Goal: How can I start auditing and reporting user activity with the product?

Fact: NetIQ Security Solutions for iSeries 8.0

Fact: PSAudit

Fact: System Auditing and Reporting (SAR)

Fix: NetIQ Security Solutions for iSeries provides several tools and interfaces to system tools that enable you to audit and report user profile activity.

PSAudit/SAR (System Auditing and Reporting)

User Auditing

You can use command CHGUSRAUD on the users to monitor. The product interface to command is PSMENU, options 1, 1, 7, and 11 (Work With User Auditing).

To report command usage by user, use PSMENU, options 1, 1, 5, 3, and 1 (Command Usage by User).

To identify the users currently being audited, use PSMENU, options 1, 1, 8, 20, and 8 (Profile Object Auditing Values). Look at Object Auditing and Action Auditing columns. Users with a high level of authority should be audited.

To end user auditing, use PSMENU, options 1, 1, 7, and 11 and specify *NONE for "Object auditing value" (OBJAUD) and *NONE for "User action auditing" (AUDLVL).

System value QAUDCTL must specify *OBJAUD and *AUDLVL to enable the aforementioned suggestions. System value QAUDLVL does not need to specify *AUTFAIL, *DELETE, *PGMFAIL, *SAVRST, and *SECURITY if those auditing values are specified for AUDLVL on the CHGUSRAUD command.

Object Auditing

You can monitor command and object usage by auditing specific commands and objects such as database file access (read and change). The product interface to this is PSMENU, options 1, 1, 7, and 10 (Work With Object Auditing). Object Name and Object Type allow value of *ALL.

To report on command usage, use PSMENU, options 1, 1, 5, 3, and 1 (Command Usage by User) and 2 (Command Usage by Command).

To report on file access, use PSMENU, options 1, 1, 5, 3, and 7 (Objects Accessed (Changed)) and 8 (Objects Accessed (Read)).

Object auditing will occur for all users, but you can report on specific users using a report filter.

To identify objects being audited, use PSMENU, options 1, 1, 5, 3, 6 (Objects being Audited). Look for the Audit Value column.

To end auditing one object, use PSMENU, options 1, 1, 7, and 10, select desired object from the list using option 4 (Remove Object Auditing).

SQL and Query Monitor

PSAudit/SAR also has a monitor for native SQL and Query usage which will capture and report on database file access using SQL and Query tools.

To select the commands to monitor, use PSMENU, options 1, 1, 7, and 28 (Work With SQL/QRY Auditing). Press F7 (=Load) to allow the product to find the locations of all supported SQL and Query commands. When the load completes, use option 2 (=Start Audit) and 8 (=Start Alert) on the desired commands.

To manage the monitor, use options 26 (Start SQL/QRY Monitor), and 27 (End SQL/QRY Monitor).

To run SQL/Query monitor reports, use PSMENU, options 1, 1, 5, 3, and 9 (SQL/QRY Audit Report).

PSAudit/DAR (Data Auditing and Reporting)

To see actual database changes, use DAR to journal files and report on changes to specific fields. Use F6 (=Add) to add a file, then use option 6 (=Work with Fields) to select which fields to monitor (can be *ALL fields). If you are already journaling the files whose changes by powerful users you want to see, then specify the journal in DAR using PSMENU, options 1, and 3, then press F11 (=Sys Menu) and select option 1 (Work With Journals).

To report on database file changes, go to the DAR Work With Files screen and use option 8 (=Change Report) or F8 (=Chg Rpt).

To report on database file accesses, go to the DAR Work With Files screen and use option 9 (=Access Report) or F9 (=Acc Rpt).

Journaling will occur for all users but you can report on specific users using a report filter.

PSAudit/SAA (System Access Analysis)

 PSAudit/SAA is another tool you can use to capture joblogs into a database file for specific users. You can then use SAA reporting to scan joblogs for certain character strings.

 

To implement SAA, refer to the PSAudit User Guide.

 

PSSecure/RRM (Remote Request Management)

 

The RRM transaction reports can also be used to monitor object and database file access from remote clients (PCs).

 

To configure RRM from PSAudit, use PSMENU, options 1, 1, 7, and 18 (Work with Remote Svr Exit Programs) and 17 (Remote Request Auditing (Ext Pnts)).

 

To run RRM Transaction Reports from PSAudit, use PSMENU, options 1, 1, 5, 4, 20, and 14 (Network Transactions by Date/Time).

 

To run RRM Transaction Reports from PSSecure, use PSMENU, options 2, 3, 20, 1, and 14 (Network Transactions by Date/Time).

 

For additional information, please refer to the RRM User Guide or call Technical Support.

 

PSSecure/SMS (Secure Menuing System)

 

The SMS auditing feature can be activated to monitor menu option access. Refer to the PSSecure User Guide for additional information.

 

 

 

Additional Information

Formerly known as NETIQKB70319