Powertech Authority Broker For IBM iAudit
Overview
With Authority Broker, System Administrators have the ability to limit access to powerful user profiles and control access to sensitive databases and programs. Users can be granted temporary authority that is either more or less powerful than their usual settings, and in cases where the user needs higher authority, they can temporarily change to that authority if the administrator has granted them sufficient privileges. In cases where a user would be safer operating under less authority, they can again temporarily change to that authority with the system administrator's advance approval.
Authority Broker, which can be called from command line or batch processes, is similar to the "su" capability of UNIX. But unlike "su", Authority Broker provides additional capabilities such as full auditing and reporting of all changes to authority, as well as comprehensive auditing of the actions the user performs under the assumed authority.
Authority Broker Events
Understanding the MSG ID
For Authority Broker events, message IDs are numbered according to the following scheme:
The first letter in the message ID:
U = Powertech user defined journal entries from QAUDJRN which are from Authority Broker.
The second two letters in the message ID:
BG = Begin swap
BH = User profile swap logging
EN = End profile swap
ER = Authority Broker action logged
FC = FireCall logged
FL = Action failure
JA= Timed switch performed
The four-digit number at the end of the message ID:
All Authority Broker message IDs currently use '0001'.
Below is a compilation of Authority Broker events.
| MSGID | MSG |
|---|---|
| UBG0001 | Begin Swap |
| UBH0001 | User Profile swap logging |
| UEN0001 | End Profile swap |
| UER0001 | Authority Broker action logged |
| UFC0001 | FireCall logged |
| UFL0001 | Action Failure |
| UJA0001 | Timed Switch Performed |
Configuring System Values
In order to send messages, Powertech Authority Broker For IBM i needs to know the format of the events to be sent to the host server. When you begin using Powertech Authority Broker For IBM i, it's also a good idea to assign a message queue to log all messages sent by the software. This will allow you to confirm which messages have been sent. Both of these settings are configured in Powertech Authority Broker For IBM i - Work with System Values screen.
To configure System Values
- At a command line on the IBM i, enter the following command to display the Powertech Main Menu.
- Select option 6 SIEM Agent.
- Select option 2 Work with Formats.
- Type 2 next to SYSLOG and press Enter.
- In the Message Style field, type *SYSLOG.
- In the Header specification field type RFC3164.
- Ensure that Use Header Format Compatibility is set to 'Y' and save the configuration.
- Press F3 twice to return to the Main Menu, then choose option 3 Work with Outputs.
- Press F6 to create a new output.
- Enter the following options:
- Name: EVENTMGR
- Description: Event Manager Server Output (or Install)
- Active: 1
- Format: SYSLOG
- Type: *NETWORK
- Press Enter.
- Now enter these options on the subsequent screen:
- Location: Enter the IP Address of the machine on which Event Manager is installed
- Port: 514
- Protocol: UDP
- Recovery limit: 100
- Time limit: 10
- ArcSight compatibility: 0
- Press Enter to save changes, then press F12 to close the window.
-
Choose option 1 Work with Event Sources.
-
Type 2 next to AB (Authority Broker) and press Enter.
-
Press F8 Maintain Outputs.
-
Press F6 Attach to attach the recently created output.
-
Type 1 next to EVENTMGR (previously created output name) and press Enter.