Managing Your IBM i Audit Data

Let’s face it; system administration remains a largely thankless task. From scheduling jobs to balancing workloads to answering messages in QSYSOPR, administrators and operators work diligently behind the scenes to ensure that IBM i servers are available to run mission-critical applications.

As more organizations find themselves governed by a regulatory mandate, a new responsibility has befallen these teams: managing security data. IBM i’s integrated audit facility is designed to log numerous events, and commercial auditing solutions can enhance this logging with additional visibility to network-initiated events and user activities. All of this auditing comes at a price: the processing and management of the logs.

Fortra has tools specifically designed to extract and format entries from the IBM i log. When compliance or internal policy dictates the necessity for forensic interrogation and real-time notification, compliance reporting tools answer the call. But what happens to all of that data after it has been analyzed and processed?

Retaining IBM i Audit Data

Like corporate financial records, audit data often has specific retention requirements. The Payment Card Industry (PCI DSS) currently stipulates that 90 days of event data must be available online and available up to 12 months offline. Other regulatory bodies have similar demands, so careful planning is required to accommodate all of this data. Administrators must understand the necessity to retain the data and not treat it as obsolete and “first to go” when disk levels run high. To ensure compliance, corporate audit and legal departments should be involved in the definition of the retention policy.

IBM i audit data is stored in journal receivers. These receivers can exist in any library, but the default is to create the receivers in a general purpose library, QGPL, that is often littered with user and system objects. The receivers should be placed into a library specific for that purpose. Segregating these receivers into their own library simplifies housekeeping and helps facilitate security personnel protect this highly valuable data. Commercial security applications may have alternative repositories that also need to be processed and archived.

Powertech Compliance Monitor for IBM i contains a powerful “harvesting” feature that performs a scheduled extraction of select audit journal types from audit journal receivers on multiple servers. The extracted data is stored inside the Compliance Monitor for IBM i environment with compression that often exceeds 90 percent! This capability enables audit reporting even after the source receivers have been saved and deleted!

Regardless of the reporting performed on the journal receiver data, security and compliance experts highly recommend that the original (source) data be saved and archived—indefinitely if possible. These receivers are definitive and irrefutable proof and should be treated much like any other forensic evidence.

The organization could be called upon by law enforcement to research the source and characteristics of a breach, or to provide evidence to help prosecute criminal activity. In fact, without the original audit journal receivers available, a court will likely question the irrefutability of the audit findings.

Managing Your Audit Data Storage

IBM i customers typically rely on software to manage object archiving and tracking of media contents. Robot Save from Fortra simplifies the transition from online access to offline storage and vice-versa by managing the archiving of audit journal receivers to media. Corporate requirements are easily satisfied because archived audit data can be quickly and precisely located and restored from media, including virtual tape, without time-consuming research.

Combining Compliance Monitor for IBM i’s offline forensic reporting capabilities with Robot Save’s permanent archive and retrieval functions eliminates the headache caused by rapidly growing journal receivers, and provides peace of mind to anyone seeking regulatory compliance.