Several of my examples will show how to use Authority Collection. Authority Collection for user profiles was introduced in IBM i 7.3 and enhanced to provide collection of individual objects in both libraries and directories in IBM i 7.4. If you’re unfamiliar with the concept and configuration of the Authority Collection feature, I suggest that you read Chapter 16 in my book IBM i Security Administration and Compliance, Third Edition for details.
Since the introduction of Authority Collection, I don’t use the audit journal as much as I used to, but it remains a vital tool for investigating and solving security issues. I’ll be showing numerous examples of its use throughout this book. Again, if you are unfamiliar with the basic concepts of the IBM i audit journal, please see Chapter 15 in IBM i Security Administration and Compliance, Third Edition. I will be using both the Copy Audit Journal Entry (CPYAUDJRNE) command, which I describe extensively in my book, as well as the IBM i audit journal table functions that allow me to bypass gathering the information into an outfile and allow me to use SQL to get information directly out of the audit journal.
I prefer using the table functions for a couple of reasons. First, I may be looking for entries for only one specific user or object, but when using CPYAUDJRNE I first must gather all entries of that type. The other reason I prefer using the SQL table functions is that timestamp arithmetic is so easy using SQL. You’ll understand what I mean when you see the examples I provide. It’s likely I would switch and never use CPYAUDJRNE again, but IBM hasn’t yet provided the SQL table functions for all audit journal entry types. You can keep track of which audit journal types are supported at the following link (simply substitute the 7.5 for the 7.X version you’re running): https://www.ibm.com/docs/en/i/7.5?topic=services-audit-journal-entry. Check this after each TR as this is not a static list! IBM has provided most of these table functions via TRs.
Finally, New Nav has added the ability to examine the audit journal. If you’re new to the audit journal, or even if you’re not, this is an easy way to examine audit journal entries without having to know one iota of SQL! In this book, I’ll show examples of using New Nav to examine the audit journal.
Leave a Reply