IBM i Template
Tested OS Versions
This software has been tested on the following IBM i versions:
- V7R1
IBM i Controls (Powertech SIEM Agent for IBM i)
The following table shows the IBM i audit entry, condition, action and sub-action on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Journal Entry |
Condition |
Description |
|
Alter Audit |
Alter Audit |
AD |
No Condition |
Auditing Changes |
|
Access Object |
Access Denied |
AF |
No Condition |
Authority Failure |
| Grant Permission | Grant Permission | CA |
substr (BDMDTN,67,3) in (‘GRT’, ‘RPL’, USR’) and &JRNSTRING, 22,8=’*AUTL’ |
Authority Changes |
| Revoke Permission | Revoke Permission | CA | ELSE | Authority Changes |
|
Grant Permission (AC Input) |
Grant Permission |
CA |
ELSE |
Authority Changes |
|
User Statement |
Command |
CD |
No Condition |
Command String Audit |
| Alter Object | Replacement | CO | Var01=’R’ and &JRNSTRING, 21,8=’*AUTL’ | Create Object |
| Create Object | Creation | CO | Var01=’N’and &JRNSTRING, 21,8=’*AUTL’ | Create Object |
| Create Object | Replacement | CO | ELSE | Create Object |
| Alter User | Alter User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29 not in (ENABLED. DISBALED) |
User profile changed, created or restored |
| Create User | Create User | CP |
Var04=’*USRPRF’ Var05=’CRT’ |
User profile changed, created or restored |
| Disable User | Disable User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29=’DISABLED’ |
User profile changed, created or restored |
| Enable User | Enable User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29=’ENABLED’ |
User profile changed, created or restored |
| Reset Password | Reset Password | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var06=’Y’ |
User profile changed, created or restored |
| Drop Object | Drop Object | DO | Var04=’*AUTL’ | Delete Object |
| Drop User | Drop Object | DO | Var04=’*USRPRF’ | Delete Object |
| Drop Object | Drop Object | DO | ELSE | Delete Object |
|
Alter Configuration Rule |
Alter DST Security Password |
DS |
No Condition |
DST Security password reset |
| Successful Logon | Logon Successful | JS |
Var01=’S’ Var02=’I’ |
Actions that affect jobs |
| Logoff | Logoff | JS |
Var01 in (‘E’, ‘I’) Var02=’I’ |
Actions that affect jobs |
| Alter Job | Alter Job | JS | ELSE | Actions that affect jobs |
| Alter Object | Move Object | OM | Var01='M' | Object move or rename |
| Alter Object | Rename Object | OM | Var01=’R’ | Object move or rename |
| Alter Object | Replace Object | OR | Var01=’N’ | Object restore |
| Alter Object | Replace Object | OR | Var01=’E’ | Object restore |
|
Alter Object |
Alter Ownership |
OW |
No Condition |
Object ownership changed |
|
Alter Configuration Rule |
Alter Program to Adopt Authority |
PA |
No Condition |
Program changed to adopt authority |
|
Switch User |
Switch User |
PS |
No Condition |
Profile Swap |
|
Logon Failed |
Logon Failed |
PW |
No Condition |
Invalid Password |
|
Revoke Permission |
Authority Change During Restore |
RA |
No Condition |
Authority Change during restore |
|
Alter Configuration Rule |
Restore Job Description with User Profile |
RJ |
No Condition |
Restoring job description with user profile specified |
|
Alter Object |
Alter Ownership |
RO |
No Condition |
Change of object owner during restore |
|
Alter Configuration Rule |
Restore Adopted Authority Program |
RP |
No Condition |
Restoring adopted authority program |
|
Alter Configuration Rule |
Alter System Tools |
ST |
No Condition |
Use of service tools |
| Alter Configuration Rule | Alter Configuration Rule | SV | NOT(Var02 like ‘QAUD*’ | System Value Changes |
| Alter Configuration Rule | System Value Change | SV | Var02 like 'QAUD*' | System Value Changes |
| Alter Date_Time | Alter Date_Time | SV | Var02 in (QDATE,QTIME) | System Value Changes |
|
Alter Object |
Alter Object |
ZC |
No Condition |
Change to object |
|
Read Object |
Read Object |
ZR |
No Condition |
Read of Object |
IBM i Controls (VMC)
The following table shows the IBM i audit entry, condition, action and sub-action on which the template can be used to control the information that is received and actioned in your security schema.
|
Action |
Subaction |
Journal Entry |
Condition |
Event Manager Queue Name |
Auditing Category |
Description |
|
Alter Audit |
Alter Audit |
AD |
No Condition |
*AUDCHANGE |
*SECCFG |
Auditing Changes |
|
Access Object |
Access Denied |
AF |
No Condition |
*AUTFAIL |
*AUTFAIL, *PGMFAIL |
Authority Failure |
|
User Statement |
Temporary Privilege Usage |
AP |
No Condition |
*ADOPTING |
READ_OBJECT |
Obtaining adopted authority |
| Grant Permission | Grant Permission | CA | substr (BDMDTN,67,3) in (‘GRT’, ‘RPL’, USR’) and &JRNSTRING, 22,8=’*AUTL’ | *AUTCHANGE | *SECRUN | Authority Changes |
| Revoke Permission | Revoke Permission | CA | substr (BDMDTN,67,3) =’RVK and &JRNSTRING,22,8=’*AUTL’ | *AUTCHANGE | *SECRUN | Authority Changes |
|
Grant Permission (AC Input) |
Grant Permission |
CA |
ELSE |
*AUTCHANGE |
*SECRUN |
Authority Changes |
|
User Statement |
Command |
CD |
No Condition |
*COMMAND |
*CMD |
Command String Audit |
| Alter Object | Replacement | CO |
Var01=’R’ and &JRNSTRING, 21,8=’*AUTL’ |
*CREATEOBJ3 | *CREATE | Create Object |
| Create Object | Creation | CO | Var01=’N’and &JRNSTRING, 21,8=’*AUTL’ | *CREATEOBJ3 | *CREATE | Create Object |
| Create Object | Replacement | CO | ELSE | *CREATEOBJ3 | *CREATE | Create Object |
| Alter User | Alter User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29 not in (ENABLED. DISBALED) |
*USRPRFCHG | *SECCFG | User profile changed, created or restored |
| Create User | Create User | CP |
Var04=’*USRPRF’ Var05=’CRT’ |
*USRPRFCHG | *SECCFG | User profile changed, created or restored |
| Disable User | Disable User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29=’DISABLED’ |
*USRPRFCHG | *SECCFG | User profile changed, created or restored |
| Enable User | Enable User | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var29=’ENABLED’ |
*USRPRFCHG | *SECCFG | User profile changed, created or restored |
| Reset Password | Reset Password | CP |
Var04=’*USRPRF’ Var05=’CHG’ Var06=’Y’ |
*USRPRFCHG | *SECCFG | User profile changed, created or restored |
| Drop Object | Drop Object | DO | Var04=’*AUTL’ | *DELETEOBJ | *DELETE, *SECCFG | Delete Object |
| Drop User | Drop User | DO | Var04=’*USRPRF’ | *DELETEOBJ | *DELETE, *SECCFG | Delete Object |
| Drop Object | Drop Object | DO | ELSE | *DELETEOBJ | *DELETE, *SECCFG | Delete Object |
|
Alter Configuration Rule |
Alter DST Security Password |
DS |
No Condition |
*DSTPWD |
*SECCFG |
DST Security password reset |
|
Alter Configuration Rule |
Alter Generic Record |
GR |
No Condition |
*GENREC |
*AUTFAIL, *SECCFG |
Generic Record |
|
Alter Configuration Rule |
Alter Job Description Parameter |
JD |
No Condition |
*JOFDCHG |
*SECCFG |
Change to user parameter of a job description |
| Successful Logon | Logon Successful | JS |
Var01=’S’ Var02=’I’ |
*JOBACTION | *JOBDTA | Actions that affect jobs |
| Logoff | Logoff | JS |
Var01 in (‘E’, ‘I’) Var02=’I’ |
*JOBACTION | *JOBDTA | Actions that affect jobs |
| Alter Job | Alter Job | JS | ELSE | *JOBACTION | *JOBDTA | Actions that affect jobs |
|
Alter Configuration Rule |
Alter Network Attribute |
NA |
No Condition |
*NETATRCHG |
*SECCFG |
Network Attribute changed |
| Alter Object | Move Object | OM | Var01='M' | *OBJMOVE | *OBJMGT | Object move or rename |
| Alter Object | Rename Object | OM | Var01='R' | *OBJMOVE | *OBJMGT | Object move or rename |
| Alter Object | Replace Object | OR | Var01='N' | *OBJRST | *SAVRST | Object restore |
| Alter Object | Replace Object | OR | Var01='E' | *OBJRST | *SAVRST | Object restore |
|
Alter Object |
Alter Ownership |
OW |
No Condition |
*OBJOWNCHG |
*SECRUN |
Object ownership changed |
|
Alter Configuration Rule |
Alter Program to Adopt Authority |
PA |
No Condition |
*PGMADP |
*SECCFG |
Program changed to adopt authority |
|
Grant Permission |
Alter Object Primary Group |
PG |
No Condition |
*OBJPGPCHG |
*SECRUN |
Change of an object’s primary group |
|
Switch User |
Switch User |
PS |
No Condition |
*PRFSWAP |
*SECVFY |
Profile Swap |
|
Logon Failed |
Logon Failed |
PW |
No Condition |
*INVPWD |
*AUTFAIL |
Invalid Password |
|
Revoke Permission |
Authority Change During Restore |
RA |
No Condition |
*AUTCHANGE |
*SAVRST |
Authority Change during restore |
|
Alter Configuration Rule |
Restore Job Description with User Profile |
RJ |
No Condition |
*RSTUSRJBD |
*AUTFAIL |
Restoring job description with user profile specified |
|
Alter Object |
Alter Ownership |
RO |
No Condition |
*OBJOWNCHG |
*SAVRST |
Change of object owner during restore |
|
Alter Configuration Rule |
Restore Adopted Authority Program |
RP |
No Condition |
*RSTPGMADP |
*SAVRST |
Restoring adopted authority program |
|
Grant Permission |
Restore User Profile Authority |
RU |
No Condition |
*RSTUSPAUT |
*SAVRST |
Restoring user profile authority |
|
Grant Permission |
Alter Object Primary Group During Restore |
RZ |
No Condition |
*RSTPGPCHG |
*SAVRST |
Changing a primary group during restore |
| Alter Object | Alter Spooled File | SF | Var01=’H’, ‘R’, ‘U’ or ‘V’ | *SPOOLFILE | *SPLFDTA | Actions to spooled files |
| Create Object | Create Spooled File | SF | Var01='C' or 'I' | *SPOOLFILE | *SPLFDTA | Actions to spooled files |
| Access Object | Read Spooled File | SF | Var01='A' | *SPOOLFILE | *SPLFDTA | Actions to spooled files |
| Drop Object | Delete Spooled File | SF | Var01='D' | *SPOOLFILE | *SPLFDTA | Actions to spooled files |
|
Alter Configuration Rule |
Alter System Management |
SM |
No Condition |
*SYSMGTCHG |
*SYSMGT |
System management changes |
|
Alter Configuration Rule |
Alter System Tools |
ST |
No Condition |
*SERVTOOLS |
*SERVICE |
Use of service tools |
| Alter Configuration Rule | Alter Configuration Rule | SV |
NOT(Var02 like ‘QAUD*’ |
*SYSVALCHG | *SECCFG | System Value Changes |
| Alter Configuration Rule | System Value Change | SV | Var02 like ‘QAUD*’ | *SYSVALCHG | *SECCFG | System Value Changes |
| Alter Date_Time | Alter Date_Time | SV | Var02 in (QDATE, QTIME) | *SYSVALCHG | *SECCFG | System Value Changes |
|
Alter Object |
Alter Object |
YC |
No Condition |
*DLOOBJCHG |
*CHANGE |
DLO Object accessed (Change) |
|
Access Object |
Read Object |
YR |
No Condition |
*DLOOBJRD |
*ALL |
DLO Object accessed (read) |
|
Alter Object |
Alter Object |
ZC |
No Condition |
*OBJCHANGE |
*CHANGE |
Change to object |
|
Read Object |
Read Object |
ZR |
No Condition |
*OBJREAD |
*ALL |
Read of Object |