• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1250
  • Last Modified:

Object Auditing in AS400

Hi,
We want to AUDIT the OBJECTS (not only the physical files) that have been created, deleted, modified in our system.
How can we do that?
For this how much disk space it may be needed.
What are the advantages & disadvantages of doing so.
Can any one please help us.

Thanking You
0
Bsidmis
Asked:
Bsidmis
3 Solutions
 
Gary PattersonVP Technology / Senior Consultant Commented:
Marhaba,

Object auditing can be controlled at the:

System level - QAUDLVL and QAUDCTL system values.
User profile level - AUDLVL parameter
Object level - CHGOBJAUD command.
The interactions between these settings are a little complicated, so you need to read up on Auditing in the Security Reference:

http://publib.boulder.ibm.com/iseries/v5r1/ic2924/books/c415302515.htm

Disk space:  You'll need to benchmark.  Depends on the applications, number of users, number of interactive transactions, design of your applications, etc.  Every system is different.  Turn on object auditing for a day, measure the disk usage.  You can manage the audit journal receiver sizes.

Advantages: Accountability. Ability to determine who did what, when, and how. Ability to satisfy regulatory and audit requirements,  Compliance with industry best practices.

Disadvantages: Lack of accountability.  Inability to determine who did what, when, and how.  Inability to to satisfy regulatory and audit requirements.  Non-compliance with industry best practices.

- Gary Patterson








0
 
BsidmisAuthor Commented:
Dear Gary Patterson,
You gave some abilities as advantages & the same as inabilities in disadvantages.
I didn't got what does it means. Can you please explain that?
After enabling the system values again can we disable those system values?
Will it create any problem for us?
Thankyou.
 
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
The advantages and disadvantages are two sides of the same coin: when you enable auditing you get an audit trail at the expense of some system resources.  If you disable auditing you save some system resources at the expense of an audit trail.

You may enable or disable auditing (provided you have adequate rights, of course) at any time.

I don't know if it will create any problems for you, since I don't know how much disk space you have free, how much auditing information you will generate in a given period, what applications run on your system, how much average CPU utilization you have, how many CPUs you have, how much disk arm utilization you have, and other variables.  

In general, if you have a lightly-utilized machine, auditing impact is generally light.  If you are already experiencing performance problems, enabling auditing will certainly increase disk arm and disk space utilization somewhat, but how much is entirely dependent on the amount and types of work your specific system performs

Hope that helps.

- Gary Patterson
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Gary PattersonVP Technology / Senior Consultant Commented:
Just to clarify: changes to auditing settings take place immediately.  An IPL is not  required.

- Gary Patterson
0
 
BsidmisAuthor Commented:
Dear Gary,
After enabling the system values & checking for one day, if we want to disable those system values can we get back the disk space occupied while auditing during that day?
While auditing process is going on will it create any objects by its own so that those objects will occupy disk space & even after disabling the system values also we cannot get back the occupied disk space. Is there any problem like this.
As you told that the changes to auditing settings will take place immediately, can you tell us how to disable those settings again.
Please tell us in this also.
Thankyou.
 
 
 
0
 
Gary PattersonVP Technology / Senior Consultant Commented:
Sure.  The auditing data is stored in journal receiver objects.  These journal receiver objects need to be managed.  You can get the disk space back by deleting the journal receivers.

As you might expect, you alter or turn off auditing using the same system values, user profile settings, and object settings you use to turn it on.
 
Before we go any further, may I suggest that you read the few pages in the Security Reference that covers just about everything you need to know about turning on auditing, auditing-related objects, and disabling auditing is right here:

http://publib.boulder.ibm.com/iseries/v5r1/ic2924/books/c415302515.htm

Regards,

- Gary Patterson


0
 
shalomcCommented:
just to clarify,
auditing objects does not put aside copies of these objects.
if a program is modified, the audit journal contains only the metadata of the modification event - what object, who did it and when it happened.
you cannot rely on the audit journal for backup or recovery, only for auditing.

ShalomC
0
 
tliottaCommented:
Bsidmis:

> ...can we get back the disk space occupied while auditing during that day? ...While auditing process is going on will it create any objects by its own so that those objects will occupy disk space & even after disabling the system values also we cannot get back the occupied disk space. Is there any problem like this. ...As you told that the changes to auditing settings will take place immediately, can you tell us how to disable those settings again.

These are extremely difficult questions to answer because they indicate a level of knowledge that is very hard to determine. E.g.:

...While auditing process is going onwill it create any objects by its own so that those objects will occupydisk space & even after disabling the system values also we cannotget back the occupied disk space.

Well, of course the audit information takes up space. No computer is going to record information without using its storage space to hold the information. And of course you can recover the space by deleting the objects that hold the information. If it couldn't be cleaned up (removed, purged, deleted), the entire system would soon be filled by audit records.

So, how do we answer?

I think Gary's gone in the right direction. You need to gain enough background in order to know what questions to ask. Maybe the 'Journal management concepts' topic in the Information Center would be useful:

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzaki/rzakiconcepts.htm
That's only a few web pages about journals to get some real basics started. Mostly, that topic is about using journals for tracking changes to records in databases; but journals are also used to store audit records of activities. Very similar management concepts are used for both kinds of journals.

The same commands are used to create and delete database and audit journals and their associated receivers. The same commands are used to save and restore them. The same commands are used to list their contents. The same APIs can used if you want to create programming around journals.

Audit journals can collect a large amount of information, so some experimenting is called for. However, the size of the collected information will almost certainly be manageable. It won't grow so fast that you can't stop it and recover its space after a day or possibly even a week.

If your receiver sizes are kept small at first, you can increase the sizes of later ones.

Take small steps and implement audits one piece at a time. Learn from each step in order to know what to expect from the next step. Review any step after an hour and after a day.

One warning -- Do not use the CHGSECAUD command until after you've learned what each of its capabilities will do. Learn by steps. That command is for experienced system administrators. (Bonus warning -- do not use the CFGSYSSEC command either. That one requires even more experience.)

And when you feel comfortable about asking specific questions, you can come back and ask them here. The answers will probably be far more specific then.

Tom

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now