IBMi - Auditing Password Authorization Failures
Some of these examples are built from the IBMi Security Administration and Compliance book and implemented in Enforcive installed on an IBMi.
Password Authorization Failures
Before setting up Alerts and reports on authorization failures check that the System Audit Policy in Enforcive includes *AUTHFAIL and that the System Security Journal has been started on the Alert collector Panel.
If you want to do this manually you need to change the system value QAUDLVL to include *AUTFAIL
Now you can configure an alert which happens real time as soon as a record is written to the Audit Journal. Enforcive's Alert collector handles all the the background tasks.
To extract the PW events manually you need to use the command DSPAUDJRNE to extract the data to a file and then display that file. It's much easier to extract that information with a tool like Enforcive.
This example looks for invalid password events which can be caused by a variety of actions. The action type is PW and the events can indicate invalid passwords being entered or invalid user ID's entered. The later could indicate an automated hack in progress.
The Alert is configured on three panels.
The Alert Condition - what to look for
The Time Condition - when to look for it
The Alert Action - what to do once alerted
The PW entries when printed using Enforcive's report generator look like this. You can see here FRED is not on our system, a quick sequence of invalid user names indicates a possible hack has been attempted.
Finally the email looks like this:-
Invalid Password : ------ System:LS089;Invalid Password DATE: 2023-01-17 TIME: 15:45:36 TYPE: INVALID PASSWORD USER: KEV DATA: WORKSTATION = KDPA0 FROM IP ADDRESS: xxx.xxx.xxx.xxx JOB ID: 534687/QSYS/QINTER
For a free demonstration contact us using the "ASK A QUESTION" tab on the left of this page.