Auditing Users with All-Object Authority

July 28, 2004 Hey, Wayne

I have found myself looking for a better way to meet our audit requirements and believe you can point me in the right direction.

For users with *ALLOBJ authority, I need to create an exit program that changes the job to log CL *YES and log their sign on date, time, user, and job number into a database file. On sign-off, I need to log the same information captured during sign on, to the same database file, and need to change LOG to *LIST and copy the spool file from QEZJOBLOG to an audit out queue.

–Mark

I understand that you want to track the actions of an *ALLOBJ user, Mark.  I am glad you wrote, because I think there is a better solution.

Have you investigated using the OS/400 audit journal to record the actions of *ALLOBJ users? I feel the audit journal is a superior solution for the following reasons.

• The audit journal cannot be modified, even by an *ALLOBJ user. Keeping job logs and database files allows users to delete spool files or modify database files. The audit journal is free from tampering, and even though, for example, the complete journal receiver could be deleted, there will be a record of it.

• The audit journal does not require any programming or modification of IBM commands.

• The audit journal a very efficient method of recording the information.

Let me take you through the steps to set up and turn on auditing for *ALLOBJ users.

STEP 1

First, you create the objects for the audit journal. Sign on as a user profile that has *ALLOBJ and *AUDIT special authorities. The easiest way is to use the security tools menu; GO SECTOOLS and select option 11, Create audit journal.

You will find a menu that asks you to specify two system values:

• QAUDLVL–*NONE

• QAUDCTL–*AUDLVL and possibly *NOQTEMP

The function creates the audit journal QAUDJRN and the journal receiver in a user library if they don’t already exist.

You may want to specify other settings in QAUDLVL, but I am attempting to do exactly what you described in your note.

STEP 2

Go to the user profiles that have *ALLOBJ authority and turn on auditing. Specify the following options:

• *CL–Record all CL commands issued by the user, including any CL commands in programs, as well as all batch and interactive jobs.

• *JOBDTA–Record job start information and other job-related changes.

Use the following command:

CHGUSRAUD     USRPRF(user-profile- name)  AUDLVL(*CMD *JOBDTA)  

Repeat Step 2 for each user profile and group profile members that have *ALLOBJ authority, and then you are done. Collection of data has already been activated. Now you probably want to look at the results of your labors. For that you simply extract the data from the audit journal. Again, I would use the security tools to get started. Use the command GO SECBATCH and select option 1 (audit journal). You will be prompted to enter codes for the audit journal reports you want. Enter the codes CD (CL commands) and JS (job start and other job-related actions).

You will get two nice reports with all of the CL commands entered by users and the job start/stop information for the *ALLOBJ users you are auditing.

I think you will find this option simpler to implement, because you can do it in less time than it would take you to read about managing the audit journal in the CL reference guide, and because you might want to eventually delete the audit journal receivers on a monthly basis.  The auditing I have described will not take up much space, so you can allow the journal receivers to build up for several months.

Try this and see if it meets your needs. You can get fancy and use the DSPJRN command to extract both the CD and JS commands into a single report, but it requires a little more work.

Have a secure life.

–Wayne O. Evans

Security articles authored by Wayne O. Evans can be found on his Web site, www.woevans.com. E-mail: woevans@itjungle.com