Initial IBM i (OS/400) Audit Settings
Effective security auditing demands a balance between preserving historical data and system performance. The process of capturing events and recording them in both the IBM-provided security audit journal and the Audit history log can consume system resources and large amounts of disk space. Performance degradation can result when you capture and record too many events.
Which specific events you choose to track is a function of your organization’s overall security objectives and potential exposures. When working with Audit for the first time, we recommend certain all-purpose settings that will allow you to examine security exposures and to develop historical data that will be useful when creating real-time detection rules.
In the following section, several generic setting scenarios help get you started with security data collection, while minimizing performance burden and disk space. Modify these settings as soon as possible, in accordance with your organizational and system requirements. In any case, you should carefully monitor system performance and disk space.
After analyzing audit data generated by this initial process, you will be able to narrow your audit scope and use real-time detection rules to build a more efficient audit program.
However, for your initial settings, we recommend that you follow these procedures as described. For the step-by-step tutorials, together with detailed explanations for the parameter settings see IBM i (OS/400) Audit Settings.
To begin working with IBM i audit settings:
- Select 1. OS/400 Audit Features in the Audit main menu (STRAUD > 1). The OS/400 Audit Features menu appears.
- Perform the following procedures: