Software and Services for IBM i (iSeries/AS400)
Ask a question
1000 characters left

                                             

IBMi Change Control

IBMi Security & Auditing

IBMi Software Support

IBMi Development

 

IBMi - Auditing Changes To System Values

Some of these examples are built from the IBMi Security Administration and Compliance book and implemented in Enforcive installed on an IBMi.

Following on from my previous post Auditing Use Of QSECOFR once you are auditing QSECOFR, the next step is to monitor changes to your system values.

Auditing Changes To System Values

Before setting up Alerts and reports on system value changes, check that the System Audit Policy in Enforcive includes *SECURITY and that the System Security Journal has been started on the Alert collector Panel.

If you want to do this manually you need to change the system value QAUDLVL to include *SECURITY then we will use the SV action type (System Value Changed).

Using Enforcive it's as easy as ticking the *SECURITY element in the System audit policy.

It is important to keep an eye on your system values as they control some of the main security aspects of your system

With that in mind it is also good practice to monitor any changes to the system values and act upon them immediately.

This is done using the SV action type and the relevant action codes. Using Enforcive's Alert center the user can monitor action type SV.

The Alert Action is configured to send an email alert plus the alert is logged in Enforcive's central audit whenever a system values is changed.

This is the resulting email

System:LS089;GDPR 08 system value changed
DATE: 2023-01-26
TIME: 16:43:24
TYPE: SYSTEM VALUE CHANGE
USER: KEV
DATA:
SYSTEM VALUE = QTIME
NEW VALUE = 164324
OLD VALUE = 164332
FROM IP ADDRESS: xxx.xxx.xxx.xxx
JOB ID: 090974/KEV/KDPA1

To extract events manually you need to use the command DSPAUDJRNE to extract the data to a file and then display that file. It's much easier to extract that information with a tool like Enforcive. Once you have the events, Enforcive will immediately and automatically perform the above actions, whereas you would need to manually do them otherwise.

IBMi - Controlling System Values

If you do not have a tool like Enforcive on your IBMi there is still a way to stop users changing system values.

This is via system service tools command (STRSST) using Work with System Security option 7.

Allow system value security changes set to 1 or 2. To block changes to the defined set of security system values use option 2.

This blocks the following from being changed :-

QALWJOBITP   QCRTOBJAUD   QPWDEXPWRN
QALWOBJRST   QDEVRCYACN   QPWDLMTAJC
QALWUSRDMN   QDSCJOBITV   QPWDLMTCHR
QAUDCTL      QDSPSGNINF   QPWDLMTREP
QAUDENACN    QFRCCVNRST   QPWDLVL
QAUDFRCLVL   QINACTMSGQ   QPWDMAXLEN
QAUDLVL      QLMTDEVSSN   QPWDMINLEN
QAUDLVL2     QLMTSECOFR   QPWDPOSDIF

QAUTOCFG     QMAXSGNACN   QPWDRQDDGT
QAUTORMT     QMAXSIGN     QPWDRQDDIF
QAUTOVRT     QPWDCHGBLK   QPWDRULES
QCRTAUT      QPWDEXPITV   QPWDVLDPGM
QRETSVRSEC   QSCANFSCTL   QSSLCSLCTL
QRMTSIGN     QSECURITY    QSSLPCL
QRMTSRVATR   QSHRMEMCTL   QUSEADPAUT
QSCANFS      QSSLCSL      QVFYOBJRST

If you have Enforcive this can be done with command control by registering the WRKSYSVAL and the CHGSYSVAL commands for use only by specific users or no users at all.

In the example below I have only configured the event to warn, it can easily be rejected so the command isn't run.

If you have a question regarding this post or would like a free demonstration, contact us using our Contact Page.

#ibmi, #IBMiSecurity, #ibmiAuditing, #Enforcive

IBMi Security,Tools ,Change Control and Support