IBMi - Auditing Changes To System Values
Some of these examples are built from the IBMi Security Administration and Compliance book and implemented in Enforcive installed on an IBMi.
Following on from my previous post Auditing Use Of QSECOFR once you are auditing QSECOFR, the next step is to monitor changes to your system values.
Auditing Changes To System Values
Before setting up Alerts and reports on system value changes, check that the System Audit Policy in Enforcive includes *SECURITY and that the System Security Journal has been started on the Alert collector Panel.
If you want to do this manually you need to change the system value QAUDLVL to include *SECURITY then we will use the SV action type (System Value Changed).
Using Enforcive it's as easy as ticking the *SECURITY element in the System audit policy.
It is important to keep an eye on your system values as they control some of the main security aspects of your system
With that in mind it is also good practice to monitor any changes to the system values and act upon them immediately.
This is done using the SV action type and the relevant action codes. Using Enforcive's Alert center the user can monitor action type SV.
The Alert Action is configured to send an email alert plus the alert is logged in Enforcive's central audit whenever a system values is changed.
This is the resulting email
System:LS089;GDPR 08 system value changed DATE: 2023-01-26 TIME: 16:43:24 TYPE: SYSTEM VALUE CHANGE USER: KEV DATA: SYSTEM VALUE = QTIME NEW VALUE = 164324 OLD VALUE = 164332 FROM IP ADDRESS: xxx.xxx.xxx.xxx JOB ID: 090974/KEV/KDPA1
To extract events manually you need to use the command DSPAUDJRNE to extract the data to a file and then display that file. It's much easier to extract that information with a tool like Enforcive. Once you have the events, Enforcive will immediately and automatically perform the above actions, whereas you would need to manually do them otherwise.
IBMi - Controlling System Values
If you do not have a tool like Enforcive on your IBMi there is still a way to stop users changing system values.
This is via system service tools command (STRSST) using Work with System Security option 7.
Allow system value security changes set to 1 or 2. To block changes to the defined set of security system values use option 2.
This blocks the following from being changed :-
QALWJOBITP QCRTOBJAUD QPWDEXPWRN
QALWOBJRST QDEVRCYACN QPWDLMTAJC
QALWUSRDMN QDSCJOBITV QPWDLMTCHR
QAUDCTL QDSPSGNINF QPWDLMTREP
QAUDENACN QFRCCVNRST QPWDLVL
QAUDFRCLVL QINACTMSGQ QPWDMAXLEN
QAUDLVL QLMTDEVSSN QPWDMINLEN
QAUDLVL2 QLMTSECOFR QPWDPOSDIF
QAUTOCFG QMAXSGNACN QPWDRQDDGT
QAUTORMT QMAXSIGN QPWDRQDDIF
QAUTOVRT QPWDCHGBLK QPWDRULES
QCRTAUT QPWDEXPITV QPWDVLDPGM
QRETSVRSEC QSCANFSCTL QSSLCSLCTL
QRMTSIGN QSECURITY QSSLPCL
QRMTSRVATR QSHRMEMCTL QUSEADPAUT
QSCANFS QSSLCSL QVFYOBJRST
If you have Enforcive this can be done with command control by registering the WRKSYSVAL and the CHGSYSVAL commands for use only by specific users or no users at all.
In the example below I have only configured the event to warn, it can easily be rejected so the command isn't run.
If you have a question regarding this post or would like a free demonstration, contact us using our Contact Page.