RE: Auditing object changes for only certain users and libraries

[Steve Martinson <Steve.Martinson@xxxxxxxxx>]

Ben,

It appears from your note that you understand the basic relationship between
object and user auditing attributes.  The cardinal rule is that the auditing
value of objects always trumps the auditing value of user profiles.  When
working with clients, I always recommend setting the auditing value for all
objects to *USRPRF, except those that are deemed the most sensitive or
critical.  For those, I recommend *ALL.  That way, they can report on
everything that happens to their important objects and they still have the
ability to audit all activity for a specific user by virtue of the *USRPRF
object setting, without killing their system with too many audit journal
entries.

You need to have *CREATE set in QAUDLVL in order to audit object creation
events (which will include object replace events) and this is a system-wide
control.  I don't think you can limit create events to only a specific user
or library via the audit settings.  If you really needed to narrow it down
to just specific users for create events, I'm thinking you could remove
*CREATE from QAUDLVL (and the user AUDLVL), change all of the commands that
create objects to *ALL, and then report on the usage of those create
commands.  Someone else please correct me if I'm wrong.

Frankly, knowing that Bob Evans is likely a publicly traded company that is
subject to audit/security regulations such as Sarbanes-Oxley, I am surprised
that you have limited QAUDLVL so much and also have QCRTOBJAUD set to *NONE.
Most best practice guidelines for OS/400 security recommend these six for
QAUDLVL: *AUTFAIL, *CREATE, *DELETE, *SAVRST, *SECURITY, and *SERVICE, with
*USRPRF in place for QCRTOBJAUD.  Unless, of course, you are working on a
system that does not process any of the company's critical financial data.

Best regards,

Steven W. Martinson, CISSP, CISM
iSeries Security Consultant
NetIQ Corporation
Mobile:  281.546.9836

********************

message: 4
date: Fri, 7 Jan 2005 16:59:31 -0500
from: Ben_Pforsich@xxxxxxxxxxxx
subject: Auditing object changes for only certain users and libraries

I want to enable auditing for only object creations, objects changed
(moved, renamed, etc.), and object deletions in only specific libraries
done by only specific users.  Here's what I did so far:
I've used CHGSECAUD command to create the QAUDJRN journal initially.
I have *AUDLVL *OBJAUD and *NOQTEMP set for QAUDCTL and *NONE for QAUDLVL.
I have set my user profile with object auditing value of *CHANGE and object
action values of *CREATE *DELETE and *OBJMGT.
I have set the specific library's default create object auditing value to
*USRPRF.
The default create object auditing value in QCRTOBJAUD is *NONE and all the
other libraries have this set to *SYSVAL.  New objects that are created are
correctly being assigned *USRPRF in their object auditing value.

I've gotten very close to get this to work, but it's not recording the
object creations--no CO entry in the journal can be found.  I have
discovered that by adding *AUDLVL on the QAUDCTL system value and adding
*CREATE *DELETE and *OBJMGT on the User Profile's action auditing values,
this will enable the CO entry to be created.  However, this will also track
audit changes that I made to objects in ANY library--it effectively ignores
the object auditing value on the objects themselves.  So then if I reset
User Profile's action auditing values back to *NONE and leave *CHANGE on
object auditing value, I will only get changes made to objects that had
*USRPRF set to its auditing value,  but I will not get the CO entry when I
use commands like CRTBNDRPG or CRTDUPOBJ.  Yes, I am signing out and back
in after I update my profile using CHGUSRAUD.

The IBM manuals have not been much help, but I can't see how this will work
the way I want it to.  Is there something I'm missing?

Thanks,

Ben Pforsich
Programmer Analyst
Bob Evans Farms, Inc.
I/S Department
Columbus, Ohio
Ben_Pforsich@xxxxxxxxxxxx