Working with Object Auditing

You should identify those objects that are critical to your organization and then create settings to capture all attempts to access these objects. There are separate wizards for auditing native IBM i objects or IFS (any non-native IBM i objects). The procedures are similar for both object types.

At first, you should capture all changes to critical objects. When you have analyzed the data, you can define settings and real-time detection rules to capture a much smaller sample to provide an effective audit trail.

  1. For native objects, select 41. Native Object Auditing from the OS/400 Audit Features menu (STRAUD > 1 > 41). For IFS objects, select 42. IFS Object Auditing.
  2. Select a library and object combination from the list, or press F6 to create a new entry.
  3. Enter parameters on the appropriate Add Object Auditingscreen as displayed (example is for native IBM i (OS/400) objects).
    4.                              ​ Add Object Auditing​                               
                                                                                    
     Type choices, press Enter.                                                    ​ 
                                                                                    
      ​     Object  . . . . . . . . . .​                   ​ Name, generic*, *ALL      ​    
      ​       Library . . . . . . . . .​                   ​ Name, *LIBL, *ALL, *ALLUSR​    
                                                                                    
      ​ Object type . . . . . . . .​                   ​ *ALL, *ALRTBL, *AUTHLR... ​    
                                                                                    
                                                                                    
      ​     Object auditing option  . .​                   ​ 1=*NONE          ​             
                                                     ​     2=*USRPRF        ​             
                                                     ​     3=*CHANGE        ​             
                                                     ​     4=*ALL           ​             
                                                                                    
                                                                                    
      ​     Apply immediately . . . . .​  B                ​ Y=Yes, B=in Batch, N=No​       
      ​     This might be a long running procedure. Batch run is recommended.          ​  
                                                                                    
                                                                                    
                                                                                    
     F3=Exit​  ​ F4=Prompt​  ​ F12=Cancel​                                               
                                                                                    
                                                                                    
  4. Repeat this process for other critical objects.