Published on System iNetwork (http://systeminetwork.com)
Detecting Access to your Sensitive Database Files
By Jacob.Browne
Created Nov 16 2009 - 22:08

By:
Dan Riehl [1]

Do you know if your system users are accessing files that are outside their scope of responsibility? You can journal those sensitive files and report on who has made changes to the records, but it's a bit different if you want to know who looked at the files, but did not make any changes.

In our highly regulated environment, we must be able to detect who is looking at the sensitive files. For example, should members of the IT staff be looking at the PAYROLL file? Should our business analysts be viewing any sensitive data? What are the limits? Where is the segregation of Duties? What is the state of our PCI compliance? Are we compliant with state privacy laws? Unless you have a way to audit who is looking at your sensitive files, it's a difficult state.

If you want to be able to detect the use of a sensitive file on your system, you can use the object auditing feature of the OS. To do this, you must first configure your system for object auditing. To enable object auditing, you set the QAUDCTL system value to contain the value *OBJAUD. This tells the system that you want to be able to audit the use of certain objects. You then use the command CHGOBJAUD(Change Object Auditing) to specify which files you want to audited.

CHGOBJAUD OBJ(PAYROLL/PAYMASTER) OBJTYPE(*FILE) OBJAUD(*ALL)

This activates the auditing for the file so that each time the file is accessed for READ, or for CHANGE, an audit entry is written to the QAUDJRN journal. This is not a record level access audit, but just that the file was accessed. For example, when a file is opened in an RPG program, if it is opened for update, an 'Open for CHANGE' entry is written. If the file is opened for Input, an 'Open for READ' entry is written.

You can use the command DSPJRN, or the command CPYAUDJRNE commands to check up to see who accessed the file. Here's an example of using the CPYAUDJRNE command. The journal code for a file 'Open for READ' is ZR, file 'Open for CHANGE' is ZC.

CPYAUDJRNE   ENTTYP(ZC ZR) OUTFILE(MYAUDIT/QAUDIT)
             JRNRCV(*CURCHAIN)
             FROMTIME('10/07/2009' '04:00:00')
             TOTIME('10/08/2009' '04:00:00')

This will generate two output files, QAUDITZC and QAUDITZR in library MYAUDIT. QAUDITZC contains the "Open for CHANGE' entries, QAUDITZR contains the "Open for READ" entries.

© 2010 Penton Media, Inc.
Source URL: http://systeminetwork.com/article/detecting-access-your-sensitive-database-files

Links:
[1] http://systeminetwork.com/author/dan-riehl