This is a documentation member only to help understand the basics of
auditing on the system and some of the helpful TAA Tools. This
provides an overview and some simple examples of how to get started
with auditing.
There are many advanced functions supported by the system and TAA
which are not discussed.
System Auditing Support
-----------------------
Audit Journal
-------------
The system provides for the Audit Journal QAUDJRN. The system will
send journal entries to the journal based on what you want to audit.
The journal must be created in order to be used.
The system provides a simple command (CHGSECAUD) to start journaling
and set the basic system values, but to understand the concepts it is
better to issue the individual commands.
Before creating QAUDJRN, you must first create a journal receiver
such as:
CRTJRNRCV JRNRCV(xxx/AUD000001)
TEXT('QAUDJRN receiver')
You should place the receiver in a library that is normally backed up
on a daily basis such as QGPL (do not place it in QSYS). Using a
generic name such as AUD000001 allows the system to automatically
generate the next name on each IPL or with CHGJRN (see the
JRNRCV(*GEN) option). If AUD000001 is the current journal receiver,
AUD000002 would be the next generated journal receiver name.
Once the journal receiver is created, you can create the Audit
Journal.
CRTJRN JRN(QSYS/QAUDJRN)
JRNRCV(xxx/AUD000001)
TEXT('Audit Journal')
The QAUDJRN journal must be created in library QSYS. The default for
MNGRCV is *SYSTEM meaning the system will automatically create a new
journal receiver at each IPL.
You must manage the deletion of old receivers when required. You can
use WRKJRNA:
WRKJRNA JRN(QAUDJRN)
**********************************************************************
* *
* Work with Journal Attributes *
* *
* Journal . . . . . . : QAUDJRN Library . . . . . . : *
* *
* Attached receiver . : AUD000005 Library . . . . . . : *
* *
* Text . . . . . . . . : Audit journal *
* *
* ASP . . . . . . . . : 1 Journaled objects: *
* Message queue . . . : QSYSOPR Current . . . . . : *
* Library . . . . . : *LIBL Maximum . . . . . : *
* Manage receivers . . : *SYSTEM Recovery count . . . : *
* Delete receivers . . : *NO Receiver size options: *
* Journal cache . . . : *NO *
* Manage delay . . . . : 10 *
* Delete delay . . . . : 10 *
* Journal type . . . . : *LOCAL *
* Journal state . . . : *ACTIVE *
* Minimize entry data : *NONE *
* *
* F3=Exit F5=Refresh F12=Cancel F17=Display attached receiver *
* F19=Display journaled objects F24=More keys *
* *
**********************************************************************
Press F24 to see more command keys. The command key lines would then
appear as:
**********************************************************************
* F13=Display journaled files F14=Display journaled access p *
* F15=Work with receiver directory F24=More keys *
**********************************************************************
Use F15 to see the list of attached receivers.
After using F15, a display appears such as:
**********************************************************************
* *
* Work with Receiver Directory *
* *
* Journal . . . . . . : QAUDJRN Library . . . . . . : *
* *
* Total size of receivers (in kilobytes) . . . . . . . . . . . : *
* *
* Type options, press Enter. *
* 4=Delete 8=Display attributes *
* Attach *
* Opt Receiver Library Number Date Status *
* _ AUD000001 QGPL 00001 12/16/09 SAVED *
* _ AUD000002 QGPL 00002 12/16/09 SAVED *
* _ AUD000003 QGPL 00003 12/16/09 SAVED *
* _ AUD000004 QGPL 00004 12/16/09 ONLINE *
* _ AUD000005 QGPL 00005 12/17/09 ATTACHED *
* *
* Parameters or command *
* ===> ___________________________________________________________ *
* F3=Exit F4=Prompt F5=Refresh F9=Retrieve F11=Display size *
* F12=Cancel *
* *
**********************************************************************
A delete option exists from the display. An inquiry message will
appear if you attempt to delete a journal receiver that has not been
saved. You cannot delete the currently attached receiver.
Authorizations to the *JRN and *JRNRCV objects
----------------------------------------------
To allow a user profile like QSYSOPR to be able to use CHGJRN to
create the next journal receiver and to delete journal receivers,
enter:
GRTOBJAUT OBJ(QAUDJRN) OBJTYPE(*JRN) USER(QSYSOPR)
AUT(*OBJOPR *OBJMGT *UPD)
GRTOBJAUT OBJ(AUD000001) OBJTYPE(*JRNRCV) USER(QSYSOPR)
AUT(*ALL)
Note that this is authority to the journal object and does not
provide *ALLOBJ authority.
When either the CRTJRN MNGRCV(*SYSTEM) or CHGJRN JRNRCV(*GEN) options
are used, the system will generate the new journal receiver with the
same authorities as the previous journal receiver.
You should avoid giving *ALL authority to an operator for a journal
object as this will allow the user to display some journal entries.
System Values
-------------
The system will cause some journal entries to occur automatically,
but most of the audit entries are optional and are controlled by
system values and commands.
The system values may be locked by SST/DST. If so, they need to be
unlocked before making changes.
** QAUDCTL (Audit Control). This is a 'list type' which allows
multiple entries. You can read the details of each option but
a typical set of entries would include:
-- *AUDLVL - Allows the system value QAUDLVL to control
what is audited.
-- *OBJAUD - Allows audit entries to occur for those
objects specified by the CHGOBJAUD command.
-- *NOQTEMP - Avoids auditing actions against objects in
QTEMP which most users would consider excess overhead
and non-informative.
You can change the QAUDCTL system value with CHGSECAUD, but
you should be familiar with using the WRKSYSVAL command
directly.
WRKSYSVAL SYSVAL(QAUDCTL)
Use Option 2 to change and enter the values *AUDLVL, *OBJAUD,
and *NOQTEMP.
Press Enter and then use Option 5 to display. The values
should appear as:
*AUDLVL
*OBJAUD
*NOQTEMP
** QAUDLVL and QAUDLVL2. These are 'list type' system values
which allow multiple entries. The system originally shipped
QAUDLVL, but there was room for only 16 options so the system
added QAUDLVL2 with room for 99 options. It is recommended to
set QAUDLVL to *AUDLVL2 and use the QAUDLVL2 system value to
control auditing:
You can change the system values with CHGSECAUD or use
WRKSYSVAL:
WRKSYSVAL SYSVAL(QAUDLVL)
Use Option 2 to change and enter the value *AUDLVL2.
Press Enter and then use Option 5 to display. The value
should appear as:
*AUDLVL2
The QAUDLVL2 system value will allow you to specify different
kinds of options which will cause journal entries to be
written. In general, it is very easy to journal too much so
it is best to begin with the basics until you get familiar
with the process.
The minimum you should consider is *AUTFAIL which will cause
an audit entry when a security violation occurs.
Use WRKSYSVAL:
WRKSYSVAL SYSVAL(QAUDLVL2)
Use Option 2 to change and enter the value *AUTFAIL.
Press Enter and then use Option 5 to display. The value
should appear as:
*AUTFAIL
To force an audit failure journal entry, signon as a normal user
(without *SECADM special authority) and enter:
CHGUSRPRF USRPRF(QSECOFR)
You should see a message that *SECADM is required. This error will
cause an auditing entry if you requested *AUTFAIL for the QAUDLVL2
system value.
** QCRTOBJAUD. This important system value is discussed in the
next section.
Auditing Specific Objects or Users
----------------------------------
Causing a journal entry for auditing is also called 'logging'. If
you want to log various occurrences, there are a few commands you
should become familiar with:
- CHGOBJAUD - Change Object Auditing
Controls logging of events on individual objects
- CHGAUD - Change auditing
Similar to CHGOBJAUD, but typically used to log
events to IFS objects such as stream files
- CHGUSRAUD - Change User Auditing
Controls logging of events by individual users
The CHGOBJAUD OBJAUD (object auditing value) parameter describes the
type of logging required for a specific object (the same parameter
exists on CHGAUD). You have a choice of *ALL, *CHANGE, or *USRPRF.
** *ALL means any read or change activity.
** CHANGE means either the data was changed or one of the
attributes of the object was changed.
** *USRPRF is described later.
Note that using CHGOBJAUD by itself may not cause a journal entry.
There are a set of complex rules, but typical auditing of an object
requires the system value QAUDCTL to be set for *OBJAUD.
If you want to log any read or change activity to the PAYROLL file
regardless of the user, you would specify:
CHGOBJAUD OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*ALL)
If you want to log just the change activity, you would specify:
CHGOBJAUD OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*CHANGE)
CHGOBJAUD will allow you to set or reset the auditing value for one,
generic, or all objects in a library, by library list, etc.
The other OBJAUD option is *USRPRF and works in conjunction with the
CHGUSRAUD command. The *USRPRF option requests to log activity only
when a user profile that has been set by the CHGUSRAUD command
performs an action. CHGUSRAUD also provides for an OBJAUD parameter
that determines the type of activity that will cause logging.
For example, if you want to log any change activity by USER1 to the
PAYROLL file, you would specify:
CHGOBJAUD OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*USRPRF)
CHGUSRAUD USRPRF(USER1) OBJAUD(*CHANGE)
Note that you cannot cause different logging for a user profile
depending on the object. It must be either *CHANGE or *ALL for all
objects that specify OBJAUD(*USRPRF).
The other use of CHGUSRAUD is to log specified actions for a
particular user. For example, if you want to log all commands run by
the QSECOFR profile, you would enter:
CHGUSRAUD USRPRF(QSECOFR) AUDLVL(*CMD)
Specifying *CMD will log not only the commands entered interactively,
but also those in any CL programs. It can cause a lot of logging.
See the later discussion of 'Auditing *ALLOBJ users' for some TAA
command help'.
If you review the help text for the AUDLVL parameter, you will see
many of the same options that are available for the QAUDLVL system
value. If you had already specified an option such as *SECURITY for
the QAUDLVL system value, you don't need to specify it with CHGUSRAUD
for a specific user.
CHGUSRAUD will allow you to set the auditing value for one or more
users.
Another method of causing auditing of objects is to use the CRTOBJAUD
parameter on CRTLIB or CHGLIB. The companion commands of
CRTDIR/MKDIR can be used in a similar manner to set auditing for a
directory. You can request the same values for an object of *ALL,
*CHANGE, or *USRPRF. Once you make a change, any new objects created
in the library (or directory) will automatically have their OBJAUD
value set as per the library level value.
The default on CRTLIB/CRTDIR/MKDIR for the CRTOBJAUD parameter is
*SYSVAL which refers to the system value QCRTOBJAUD. This can be
used to set the value for all new libraries.
The important thing to note is that setting the library level does
not affect existing objects.
You can determine the object auditing value for an object by using
DSPOBJD. Display the full attributes and use rollup.
You can determine the auditing information for a user profile with
DSPUSRPRF and several rollup requests.
IFS Objects
-----------
IFS objects (or library objects) can be set to start auditing by use
of the CHGAUD command as described previously. The audit value may
be seen by using WRKLNK and Option 8. RTVIFSED2 retrieves the value
and DSPIFSED also displays the value. A special command DSPIFSAUD
may be used. CVTIFS also has the value in the IFAUDT field.
Audit Entries
-------------
Any logging that occurs creates a journal entry. The system command
that displays the journal entries is DSPJRN:
DSPJRN JRN(QAUDJRN)
**********************************************************************
* *
* Display Journal Entries *
* *
* Journal . . . . . . : QAUDJRN Library . . . . . . : *
* Largest sequence number on this screen . . . . . . : 00000000006 *
* Type options, press Enter. *
* 5=Display entire entry *
* *
* Opt Sequence Code Type Object Library Job *
* _ 1 J PR SCPF *
* _ 2 T AF QYPSJSVR *
* _ 3 T AF QYPSJSVR *
* _ 4 T ZC DSP01 *
* _ 5 T ZC DSP01 *
* _ 6 T ZC DSP01 *
* *
* F3=Exit F12=Cancel *
* *
**********************************************************************
DSPJRN is a complex command with lots of options and can be difficult
to work with. The basic use of the command just displays the entries
as they exist in the current journal receiver.
Each journal entry is assigned a 'code', a 'type', and a 'sub type'
based on the condition. A code of 'J' means it is an entry caused by
an operation on a journal or journal receiver.
The typical code that you will want to look at is the 'T' value for
auditing entries. A type of 'AF' indicates an 'authority failure'
such as where a user has attempted to display a secure library. Type
ZC indicates an object change.
Option 5 from the DSPJRN display will let you see the entire entry
which is a string of data. This can be difficult to interpret.
**********************************************************************
* *
* Display Journal Entry *
* *
* Object . . . . . . . : Library . . . . . . : *
* Member . . . . . . . : *
* Incomplete data . . : No Minimized entry data : *
* Sequence . . . . . . : 5 *
* Code . . . . . . . . : T - Audit trail entry *
* Type . . . . . . . . : ZC - Object change access *
* *
* Entry specific data *
* Column *...+....1....+....2....+....3....+....4....+....5 *
* 00001 'CAUDLOGP AUDLOG *FILE AUDLOGP ' *
* 00051 ' ' *
* 00101 ' ' *
* 00151 ' ' *
* 00201 ' ' *
* 00251 ' ' *
* 00301 ' ' *
* *
* Press Enter to continue. *
* *
* F3=Exit F6=Display only entry specific data *
* F10=Display only entry details F12=Cancel F24=More keys *
* *
**********************************************************************
An option (F10) from the detail display will let you see the details
of the job that caused the entry.
**********************************************************************
* *
* Display Journal Entry Details *
* *
* Journal . . . . . . : QAUDJRN Library . . . . . . : *
* *
* Sequence . . . . . . : 5 *
* Code . . . . . . . . : T - Audit trail entry *
* Type . . . . . . . . : ZC - Object change access *
* *
* Object . . . . . . . : *
* Type . . . . . . . : *
* Date . . . . . . . . : 12/17/09 *
* Time . . . . . . . . : 14:56:57 *
* Flag . . . . . . . . : 0 *
* Count/RRN . . . . . : 0 *
* Commit cycle ID . . : 0 *
* Nested commit level : 0 *
* Job . . . . . . . . : 001338/QPGMR/DSP01 *
* User profile . . . . : QPGMR *
* Ignore APY/RMV . . . : No *
* Ref constraint . . . : No *
* *
* F3=Exit F10=Display entry F12=Cancel F14=Display previous e *
* F15=Display only entry specific data *
* *
**********************************************************************
The system supports a command to copy the audit entries to a data
base file:
CPYAUDJRNE (added in V5R4)
By default, the journal code T and entry type AF entries are copied
to the QAUDITAF file in QTEMP. The file may then be queried such as
with the RUNQRY command:
RUNQRY QRY(*NONE) QRYFILE(QAUDITAF)
There is also a command that will display the entries, but should
only be used for simple requirements.
DSPAUDJRNE ENTTYP(AF) OUTPUT(*)
This would display the authority failures.
CPYAUDJRNE may also be used to help review different detail audit
entries. See the later section on 'Example of CPYAUDJRNE'.
Other comments
--------------
An important aspect about the Audit Journal (or any *JRN object) is
that it is a very secure object. You cannot change or delete an
entry.
But you do have to manage the journal receivers. You can save them
to offline storage before deleting them if there is a requirement to
be able to review past history.
You can write your own entries to the journal with the SNDJRNE
command.
TAA Support
-----------
Audit Log
---------
Because the DSPJRN and DSPAUDJRNE commands are not necessarily easy
to work with, TAA provides the AUDLOG tool to assist. This requires
that the journal entries be converted to data base files where they
can be manipulated more easily.
You begin by creating the AUDLOG data base files such as:
CRTAUDLOG AUDLOGLIB(xxx) ENTDTALEN(200)
Any library may be used. The AUDLOGP physical file and several
logical files will be created. The ENTDTALEN parameter describes the
length of the field for the entry data. You may describe a field
length of 102 to 1000. This is a fixed length field. The longer the
field, the larger the required space for each entry in the AUDLOGP
file. The minimum of 102 will not let you see all of the entry data
for some journal entries (the remainder would be truncated).
It is possible to start with an entry of 200 and change to a longer
or shorter length. You would have to use DLTAUDLOG and then
CRTAUDLOG again.
To get the journal entries out of the QAUDJRN journal and into the
TAA files, you must perform a conversion. This can be done on a
periodic basis or when you need to such as:
CVTAUDLOG
The command is smart enough to know what entries have already been
converted so it will just convert the new ones. There is also a
separate tool CVTAUDLOG3 which will allow a conversion as the entries
occur. This requires more overhead, but allows DSPAUDLOG to be
usable without a prior conversion step. CVTAUDLOG3 also allows an
option that will send a message if a specific journal entry type
occurs.
Once the entries are converted, you can display them with the
DSPAUDLOG command:
DSPAUDLOG
**********************************************************************
* *
* Audit Log *
* 12/17 *
* Pos to System: TAASYS13 Date - YYMMDD: 091217 Time 0000 *
* *
* Type options, press Enter. AUDLOGP library *
* 5=Display abbreviated entry 7=Display full entry *
* *
* Opt System Date Time Cde Ent Sub User *
* _ TAASYS13 12/17/09 0:04:17 J IN *NONE *
* _ TAASYS13 12/17/09 0:05:21 J NR QSYS *
* _ TAASYS13 12/17/09 0:05:21 J PR QSYS *
* _ TAASYS13 12/17/09 0:07:51 T AF A QYPSJSVR *
* _ TAASYS13 12/17/09 0:08:04 T AF A QYPSJSVR *
* _ TAASYS13 12/17/09 9:57:16 T ZC C QPGMR *
* _ TAASYS13 12/17/09 9:57:17 T ZC C QPGMR *
* *
* F3=Exit F6=PRTAUDLOG F9=Change -Pos To- order F12=Cancel *
* F17=Code descriptions *
* *
**********************************************************************
DSPAUDLOG provides a subfile display of the entries. The default
display occurs in 'date' order.
You can use F9 to change the order to display by job, or user, etc.
After entering F9, you would see the following:
**********************************************************************
* *
* Audit Log - Change -Position To Order *
* *
* The access path in use is in order by *DATE *
* *
* New order ________ *
* *
* Description *
* *
* *DATE By System, Date, Time *
* *CODE By System, Code, Entry Type, Date, Time *
* *USER By System, User, Date, Time *
* *JOB By System, Job, Date, Time *
* *CODESUB By System, Code, Entry Type, Sub Type, Date, Time *
* *
* F12=Cancel *
* *
**********************************************************************
You can use the input fields at the top of the subfile display to
position to an entry.
Option 5 from the subfile display lets you see the details of an
entry. This is a simpler display to review than the DSPJRN version,
but the entry data can still be confusing.
**********************************************************************
* *
* Audit Log - Detail Record Display *
* 12/17/09 *
* Entry date and time . . : 12/17/09 at 9:57:16 *
* Journal code . . . . . : T = Audit *
* Entry type . . . . . . : ZC Sub entry type = C *
* Entry type/subtype text : Change of an object *
* User . . . . . . . . . : QPGMR *
* Qualified job name . . : DSP01 QPGMR 001316 *
* System name . . . . . . : TAASYS13 *
* Journal sequence number : 4 *
* Program causing entry . : TAASEDSR2 *
* Object/Library/Member . : *
* Data length . . . . . . : 689 *
* Entry data . . . . . . : CAUDLOGP AUDLIB *FILE AUDLO *
* *
* F3=Exit F6=DSPDBFDTA F12=Cancel Press Enter to conti *
* *
**********************************************************************
Each journal entry code and type supported by the system has a model
data base file in QSYS. The F6 option takes the data from the
journal entry and maps it onto the model file definition provided by
the system. This is not a perfect solution, but does help explain
the entry.
After using F6, you would see:
**********************************************************************
* *
* TAA Display DBF Data File: QSYS/QASYZCJ4 *
* Text: Outfile for journal entry type ZC 12/17/09 *
* Type options, press Enter. Format: QASYZCJ4 Record im *
* 5=Display *
* C - Change of an object *
* Opt Field text description Value *
* Name of object AUDLOGP *
* Library name AUDLIB *
* Object type *FILE *
* Type of access 30 *
* Object data AUDLOGP *
* Not used *
* Object name length 0 *
* Object name CCSID 0 *
* Object name region ID *
* Object name language ID *
* Not used *
* Parent directory file ID *
* Object file ID *
* Object name *
* *
* F3=Exit F12=Cancel *
* *
**********************************************************************
There is also a PRTAUDLOG command which can be used to list entries
such as:
PRTAUDLOG JRNCDE((T AF))
An alternative to DSPAUDLOG and PRTAUDLOG is the SCNAUDLOG command.
SCNAUDLOG allows normal type of selection for such fields as job,
date, time, user, etc, but also allows a scan of the entry data
field.
Most of the 'T' audit entries do not update the object data portion
of a journal entry. Instead, the object name is within the entry
data. Consequently, you cannot use DSPJRN, CPYAUDJRNE, or DSPAUDLOG
to find the entries that were caused by use or change of a particular
object. If you were auditing any changes to the PAYROLL file, you
could enter:
SCNAUDLOG SEARCH(PAYROLL)
and see all the entries that had the value PAYROLL within the entry
data. By default, a display appears that is similar to the DSPAUDLOG
display. A print option also exists.
While the AUDLOG tool makes it easier to work with the audit entries,
it is not as safe as the journal. Because data base files are used,
it is possible to change an entry. You should minimize this exposure
by limiting the number of users who can change the file.
You can also log any changes to the AUDLOGP file by specifying:
CHGOBJAUD OBJ(AUDLOGP) OBJTYPE(*CHANGE)
When CHGOBJAUD is used, an entry is created with a code of 'T' and a
type of 'AD'. When CVTAUDLOG is run, there will be an entry of code
'T' with a type of 'ZC'. If you display the details of this entry,
it will tell you the program TAASEDSR2 in TAATOOL (the program used
by CVTAUDLOG) made the change.
You could use SCNAUDLOG to find the entries such as:
SCNAUDLOG SEARCH(AUDLOGP)
This may help convince an auditor that the AUDLOGP is a true
representation of the QAUDJRN journal.
To delete old audit log entries that are no longer needed, use:
MTNAUDLOG RTNDAYS(30)
This will delete any entries that are older than 30 days.
Getting ready for an audit
--------------------------
No two auditors will want the same information to perform an audit.
Either you or they will need standard system or TAA functions and/or
the need to write specific programs or queries.
A good tool for you to consider before the auditor arrives is
PRTSECAUD. It will print a variety of things you should consider.
Be sure you understand the option CHKSAMPWD (Check same password).
Other good tools are:
** AUDLOG - Allows a simpler approach to working with auditing
entries.
** SCNAUDLOG - Provides a scan of the entry data which is a
significant help when dealing with auditing entries.
** DSPSECRVW - Allows you to play with the user profiles such as
selecting all those with special authorities.
** DSPOBJAUD - Describes the object auditing for objects set by
CHGOBJAUD or the CRTOBJAUD function of CRT/CHGLIB.
** DSPUSRAUD - Describes the auditing of user profiles set by
CHGUSRAUD.
** CAPSECINF - Captures the major security values and allows you
to compare against a prior version.
** CHGUSRAUD2 - Similar to CHGUSRAUD, but prompts for the current
values which makes it easier to make a change.
** DSPAUDRCD - Displays the last audit entry for a specific user.
For a review of all of the audit tools in the TAA Productivity Tools
product, do
DSPTAACAT CATEGORY(*AUD)
For a review of all of the security tools in the TAA Productivity
Tools product, do
DSPTAACAT CATEGORY(*SEC)
For a review of all of the journaling tools in the TAA Productivity
Tools product, do
DSPTAACAT CATEGORY(*JRN)
Example of CPYAUDJRNE
---------------------
In some cases you may want a listing of a specific set of information
from designated Audit entry types.
The records stored in the TAA Audit Log file are effective when you
want basic information. If you are looking for some very specific
data and want comparisons of previous activity, there is a better
solution with the system command CPYAUDJRNE.
CPYAUDJRNE runs against the QAUDJRN journal which means that you may
have to keep the audit journal online for the period of time you are
interested in reviewing.
As an example of how to understand and use CPYAUDJRNE, assume that
you want to know when users were enabled or disabled.
The first step is to cause auditing for this function (the following
assumes you have set QAUDLVL to *AUDLVL2):
WRKSYSVAL QAUDLVL2
Add an entry for *SECCFG if it is not already there. This will cause
audit entries for any changes to user profiles as well as a few other
functions.
To ensure that you have some audit entries to review, issue the
following for some test user profile:
CHGUSRPRF USRPRF(xxx) STATUS(*DISABLED)
CHGUSRPRF USRPRF(xxx) STATUS(*ENABLED)
CHGUSRPRF USRPRF(xxx) STATUS(*DISABLED)
CHGUSRPRF USRPRF(xxx) PTYLMT(9)
You can display the Audit Journal to see the entries (use a current
date and a time when you started CHGUSRPRF).
DSPJRN JRN(QAUDIT) FROMTIME(date time)
You should see the audit entries for:
Journal code T
Entry type CP
If you use Option 5 to display the details, you should see the entry
specific data with the changes you made. The data is just a string.
It is intended to be mapped onto a a model file that contains the
fields for the CP Entry Type (Each Entry Type has a unique model
file).
If you are using the TAA AUDLOG tool, the detail display of an entry
allows the use of F6 to display the data. This is effective for a
single audit entry, but not if you want to review several entries (if
you want to see the entries you previously made, you will need to use
CVTAUDLOG to convert the journal into the data base file used by
AUDLOG).
To see the format without the AUDLOG tool, use the TAA Tool:
DSPJRNCDE
Position to the T Journal Code and rollup to the CP entry. Then use
Option 7 to display the 'T format'.
At the top of the display, you can see the model file name is
QASYCPJn and the format name is the same. (For the CD entries, the
model file is QASYCDJn). You can roll thru the fields to see that
the CPSTAT field will contain the status information that was
changed.
CPYAUDJRNE will create a file using this format.
You begin by using the command for a specific Journal Entry type (the
sub type is not used and only Audit entries - Journal Code = T are
converted by CPYAUDJRNE).
CPYAUDJRNE ENTTYP(CP) OUTFILE(xxx/QAUDIT)
JRNRCV(*CURCHAIN)
Using *CURCHAIN is important the first time you make a conversion
because this will search all receivers in the chain. If you are
going to periodically add to the file, you will want to use the
FROMTIME parameter for subsequent uses.
Note that CPYAUDJRNE supports the ability to add to a file using the
OUTMBR option. If you are going to analyze the data, you have to be
careful you don't copy entries that have already been copied or
replace those that you want to retain. It may be desirable to use
CPYF after CPYAUDJRNE to a more permanent file for review purposes.
CPYAUDJRNE appends the type to the file name. Thus the file name
that is created is QAUDITCP. (the file name for the CD entries would
b
You can display the data with the TAA command:
PRTDB FILE(xxx/QAUDITCP)
A sub file will be displayed of the fields in the format and you can
place an X in those you are interested in such as:
CPTSTP Timestamp of entry
CPUSER User profile that made the change
CPONAM User profile that was changed
CPPTYL Priority limit
CPSTAT Status
Press Enter and the selected fields move to the top of the display.
The 'Sel' field allows you to change the order, but assume you want
the same order to be listed as it appears in the subfile. By
default, the field names are used for the column headings. An option
exists to use the DDS column headings instead.
Note that if you are only interested in the changes to the status of
the profile, the change to the PTYLMT function will also appear. The
CP entry will also have changes for new, deleted, and restored
profiles.
Any Query can be used to process the QAUDITCP file. You may prefer
to do a select/sort by prompting for the TAA command:
SORTDBF
Enter the From file and a To file to write the records to. To select
the CPSTAT field not equal to blanks, enter
SELFLD((CPSTAT *NE *BLANKS)
and then a keyfield such as the user profile that was changed:
KEYFLD((CPONAM))
The final command would thus look like:
SORTDBF FROMFILE(xxx/QAUDITCP)
TOFILE(xxx/AUDITCP)
SELFLD((CPSTAT *NE *BLANKS)
KEYFLD((CPONAM))
The output file will have the selected sorted data.
You may use PRTDB again for the listing or you may need to write a
special program against the new file.
Auditing *ALLOBJ users
----------------------
One of the concerns of any system is that there must be some number
of users who have *ALLOBJ special authority. You cannot prevent an
*ALLOBJ user from doing anything on the system, but you can audit
what they have done.
Of specific interest may be a question like 'What commands have they
entered?'.
The system supports the AUDLVL(*CMD) option to provide audit records
for commands entered by a user. Any commands run by sub-programs
also generate audit records. If *ALLOBJ users perform a lot of work,
this can generate a large number of audit records.
The TAA DSPAUDCMD function can assist you in reviewing these records.
It allows options to bypass the commands entered in sub-programs and
to review by a time period, by job, or by program.
If *ALLOBJ users are frequently signed on and perform a lot of work,
the number of audit records produced may be beyond anyone's
capability to review. A periodic audit that is unannounced may be an
effective method of checking.
|
