iCan Blog Archive

There was a short statement in the IBM i 7.2 announcementNew PTF improvements for tracking of Security Audit Log. That’s not very clear is it?Starting with IBM i 7.2, you now have the ability to track PTF installation history in the security audit journal. This support extends the QAUDLVL and QAUDLVL2 system values with additional parameters to specify the type of auditing you want the system to do on PTF operations. You can track changes to the system based upon PTF activity on the system, as well as PTF object changes.

The following new values are allowed for the auditing level:

  • *PTFOPR – Program Temporary Fix (PTF) operations are audited. These result in new “PF” journal audit entries.
    The following are some examples:
    • Load, apply, or remove a PTF.
    • Log or delete a PTF save file.
    • Install PTFs by using GO PTF or INSPTF command
  • *PTFOBJ – Changes to Program Temporary Fix (PTF) objects are audited. These result in new “PU” journal audit entries. Note that no audit records are generated for bypassed objects; e.g., unchanged objects from superseded PTFs.
    The following are some examples:
    • Library objects such as *PGM and *SRVPGM objects.
    • Replaceable Unit (RU) objects for Licensed Internal Code (LIC) PTFs.
    • Integrated File System (IFS) objects.

The audit records include the fully qualified job name from which the operation was performed. With immediate PTFs, this is the job that applied that PTF immediately and the “Entry Action” field in the audit record is TAPY (PTF temporarily applied). However, delayed PTFs are applied (or removed) during an IPL, in which case the job will be the SCPF job which applies (or removes) delayed PTFs. Note that the original operation to initiate the apply of a delayed PTF is done prior to the IPL and the originating job is logged in a prior audit record with the “Entry Action” field set to LOAD and the “IPL action field for PTF” is set to ATMP (apply temporarily at IPL).If you have a requirement to audit PTF activity, the general recommendation is to audit PTF operations (*PTFOPR); auditing changes to PTF objects is only necessary for those environments that have strict auditing requirements.

You can read about this in the auditing fixes information in the IBM i Knowledge Center.

Refer to the IBM i Security Reference for more information on security auditing. Appendix F contains the layout of the new ‘PF’ and ‘PU’ audit journal entries.

I’d like to thank Ellie Streifel for her assistance on this blog article. Ellie is the IBM i PTF team lead.

This blog post was edited to fix broken links on April 12, 2020.

This blog post was originally published on IBMSystemsMag.com and is reproduced here by permission of IBM Systems Media.