IBM i system journaling exceptions

bitxpert
bitxpert used Ask the Experts™
on
I have recently installed Anti-Virus scanning for the Netserver (IFS) portion on my IBM i.  I am running IBM i v7r2.  The Anti-Virus scans are making the number of journal receiver entries increase exponentially. Auditing events are configured as listed: attention events, authorization failure, object creation/deletion/restore, program adoption, security tasks, service tasks, system integrity violation, system management.  I'm not auditing objects in QTEMP, & object auditing isn't active.

The AV scanner is producing a lot of entries of the following types: CA (auth change), LD (directory link/unlink/lookup), CO (create object), AD (auditing attribute change), & DO (delete operation).

My question is: can I specify exceptions to auditing/journaling?  By job name, user profile, or any other parameter that would allow me to specify that I don't want the AV scanner activity being journaled.

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VP Technology / Senior Consultant
Commented:
No way that I'm aware of to set up auditing exceptions.  You can use CHGUSRAUD to specify ADDITIONAL audits for a given user, but not to exclude audits configured in the QAUDLVL and QAUDLVL2.  Allowing specific jobs or users to bypass auditing would create a pretty big hole in the whole purpose of auditing.

My only idea:  Remove the problem audits from QAUDLVL/QAUDLVL2 and apply them at the user level using CHGUSRAUD - not crazy about this one since it creates a user profile maintenance issue.

Is this the free AV from Raz-Lee? If so, you might want to raise the issue with them directly and see if they have any suggestions.

Author

Commented:
Gary,

     Thanks for the confirmation, I figured there would not be a way to create exceptions in the system security auditing because that would be self-defeating.  

The CHGUSRAUD command would be a good compromise, albeit more work, so I will keep that in mind.

You are correct, it is the free AV from Raz-Lee.  I will check with them and see if they have any good suggestions.
Gary PattersonVP Technology / Senior Consultant
Commented:
Please post back if you learn anything interesting.  

One way to make the CHGUSRAUD approach less likely to end up with gaps due to unaudited or underaudited users would be to create a little process that runs each night, perhaps, that does a DSPUSRPRF *BASIC to an outfile, and then sweeps through the outfile verifying all audited profiles have the correct audit actions in column UPAUDL in the outfile, and issuing CHGUSRAUD to fix any profiles (new profiles for example) that aren't set up correctly.

If you wanted to get fancy, you could also create an "exclusions" file containing a list of profiles that didn't want the process to manage.

- Gary

Author

Commented:
I have heard back from Raz-Lee; they didn't have a direct solution but said they would look into it.  At this point, my Journal growth has slowed so I'm thinking most of the abnormal growth may have been due to the initial scans.  

     Gary, thanks for all the info on CHGUSRAUD, I will keep that in mind if this problem re-surfaces.
Gary PattersonVP Technology / Senior Consultant

Commented:
Happy to help.  Glad to hear that the volume has decreased.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial