TAA Tools

The  Display User  Commands  command  displays  the audit  records  for
commands run  by a user that is  specified with CHGUSRAUD AUDLVL(*CMD).
DSPUSRCMD  is intended  for use on  critical security  profiles such as
QSECOFR and QSRV to allow  a review of the commands that  were entered.
The Journal  Code T (Audit) records  with an Entry Type  of CD (command
was run) are processed using the CPYAUDJRNE outfile.

You must have *ALLOBJ authority to use DSPUSRCMD.

If  you  have  not already  setup  the QAUDJRN  journal,  see  the tool
AUDITING for a discussion.

Assume you  want to  check the  commands entered  by  the QSECOFR  user
profile.  Begin by ensuring the audit level is set correctly.


Roll  to the  value  'Action  auditing values'.    It  should at  least
specify '*CMD'.  If not, enter the following:


After  some commands have been  entered by QSECOFR, you  may review the
commands with:


A listing  would be  displayed  of all  the  commands entered  for  all
existing journal entries in QAUDJRN.

The profile  QSECOFR is used  in several system  jobs such as  QSRVMON.
You  can  eliminate the  commands  run in  specifically  named jobs  or
using  a  generic  name  to  eliminate  system  jobs  by  entering  Q*.
However,  this would  not  find the  commands  entered  by a  user  who
signed on as QSECOFR and submitted a job name that began with Q.

Options also exist to:

  **   Process based on a start date/time and an end date/time.

  **   List the  commands run in CL  programs if called from  a command
       line  or  run via  a  command  processing program  (either  by a
       system or user command).

  **   Scan for the use  of a command such  as CRTUSRPRF whether it  is
       run on a command line or via a CL program.

Using a different Security Officer profile

Because the  system use  of QSECOFR  complicates the  use of  reviewing
commands, some  users may prefer to use  a separate profile when acting
as the Security Officer.

For example, you could create  the QSECOFR2 profile and cause  auditing

                          TEXT('Second security officer')


This would  allow  secure commands  to be  entered  using QSECOFR2  and
displayed with DSPUSRCMD.

You  cannot set  the QSECOFR  password to  *NONE.   However,  you could
prevent  the  interactive  use of  QSECOFR.    You should  not  do this
unless you have another profile  that can reset the profile  if needed.
To prevent the use of QSECOFR from signing on, enter:


While  this will  make  the use  of  DSPUSRCMD for  a  profile such  as
QSECOFR2  easier to review,  it is not  a perfect solution  to ensure a
check of all commands run as a Security Officer.

For  example,  there  may  be  pre-existing  programs  that  adopt  the
QSECOFR profile,  that run various functions.   There are  several such
programs  within  TAATOOL  and the  system  also  uses this  technique.
While TAATOOL  and system  functions offer  security control  of  these
types of functions, user written programs may not be so secure.

In  addition,  any  *ALLOBJ  user  can  bypass  many  of  the  security
checking functions provided by the system.

The use  of a second Security  Officer will not eliminate  the need for
good system security.

DSPUSRCMD escape messages you can monitor for

      TAA9892    The user profile is not specified to audit commands
      TAA9893    There were no audit records for the selection criteria

TAA9893  is sent either because the  use of CPYAUDJRNE found no records
(no  spooled file  will  exist)  or because  the  selection  processing
after  the use  of  CPYAUDJRNE did  not  find any  entries  to list  (a
spooled file will exist).

Escape messages from based on functions will be re-sent.

DSPUSRCMD Command parameters                          *CMD

   USRPRF        The  user  profile to  list  audit records  for.   The
                 user must  be specified  using CHGUSRAUD  AUDLVL(*CMD)
                 to create audit records for commands entered.

   FROMDATE      The  From date  and time  to  select journal  entries.
                 Both  values  default to  *FIRST for  the  first audit
                 entry found  in  QAUDJRN.   A  specific date  (in  job
                 format) or  the special value  *TODAY may  be entered.
                 A specific time in HHMMSS format may be entered.

   TODATE        The  To  date  and  time  to select  journal  entries.
                 Both  values  default  to  *LAST  for  the  last audit
                 entry found  in  QAUDJRN.   A  specific date  (in  job
                 format) or  the special  value *TODAY may  be entered.
                 A specific time in HHMMSS format may be entered.

   CLPGM         A  *YES/*NO value for whether the  commands run from a
                 CL program should  be listed.   The  CL program  could
                 be   called  directly   or   called   via  a   command
                 processing program from a system or user command.

                 *NO is the default to not list these commands.

                 *YES  may be  specified to  list  the commands.   Only
                 the object  name,  type,  and library  (not  the  full
                 command that was run) are listed.

   SCANVAL       The value  to be  scanned for  in either the  commands
                 that were  run from a  command line or  the object and
                 library  names  of the  commands run  in a  CL Program
                 (requires  CLPGM(*YES)).    For  example,  this  would
                 allow the  scanning for the  use of a command  such as
                 CRTUSRPRF or the keyword PASSWORD.

                 *NONE is the default meaning no scan occurs.

                 A  string of  up  to 20  bytes may  be entered.   Note
                 that scanning  the commands  run in  a  CL program  is
                 only effective on the command name and library.

                 Both the  SCANVAL and  the command  are translated  to
                 upper case before comparing.

   BYPJOB        A  list of up  to 300 job  names or generic  job names
                 that will be bypassed.

                 *NONE is the default  meaning all jobs are  processed.

                 When  a user  profile  such as  QSECOFR  is used,  the
                 system  runs several jobs  under this profile  such as
                 QSRVMON.   Bypassing specific jobs  names or a generic
                 name such as  Q* can reduce  the size of the  listing,
                 but does  not prevent  a QSECOFR user  from submitting
                 a job name beginning with Q from being bypassed.

                 See  the  previous  discussion  about  how  to  use  a
                 different profile for entering secure commands.

   OUTPUT        How to  output  the results.    *  is the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file  is deleted after it
                 is displayed.

                 If the  command  is  entered in  batch  or  *PRINT  is
                 specified, the  spooled file  is output and  retained.


You must have *ALLOBJ authority to use DSPUSRCMD.

You must have the QAUDJRN operational.

The user profile specified, must be set to at least AUDLVL(*CMD).


The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKGENERC       Check generic
     CVTTIM          Convert time
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVDAT          Retrieve date
     RTVSYSVAL3      Retrieve system value 3
     SCNVAR          Scan variable
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message
     TRNVAL          Translate value


None, the tool is ready to use.

Objects used by the tool

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPUSRCMD     *CMD                   TAASEIN       QATTCMD
   TAASEINC      *PGM       CLP         TAASEINC      QATTCL
   TAASEINP      *FILE      PF

The  TAASEINP file is  created by  duplicating the QASYCDJ5  model file
in QSYS.

Added to TAA Productivity tools July 15, 2010

Home Page Up to Top