AUDITING        SYSTEM AUDITING                            TAAAUDA

 This is a  documentation member only  to help understand the  basics of
 auditing  on  the system  and  some of  the  helpful TAA  Tools.   This
 provides  an overview  and some simple  examples of how  to get started
 with auditing.

 There are  many  advanced functions  supported by  the  system and  TAA
 which are not discussed.

                    System Auditing Support
                    -----------------------

 Audit Journal
 -------------

 The system  provides for  the Audit Journal  QAUDJRN.  The  system will
 send  journal entries to the  journal based on what  you want to audit.
 The journal must be created in order to be used.

 The system provides  a simple command  (CHGSECAUD) to start  journaling
 and set the basic  system values, but to understand  the concepts it is
 better to issue the individual commands.

 Before  creating  QAUDJRN, you  must  first create  a  journal receiver
 such as:

             CRTJRNRCV  JRNRCV(xxx/AUD000001)
                          TEXT('QAUDJRN receiver')

 You should place the receiver in  a library that is normally backed  up
 on a  daily basis such  as QGPL  (do not place  it in  QSYS).  Using  a
 generic  name such  as  AUD000001  allows the  system  to automatically
 generate   the  next  name  on  each   IPL  or  with  CHGJRN  (see  the
 JRNRCV(*GEN) option).   If AUD000001 is  the current journal  receiver,
 AUD000002 would be the next generated journal receiver name.

 Once  the  journal  receiver  is  created, you  can  create  the  Audit
 Journal.

            CRTJRN      JRN(QSYS/QAUDJRN)
                          JRNRCV(xxx/AUD000001)
                          TEXT('Audit Journal')

 The  QAUDJRN journal must be created in  library QSYS.  The default for
 MNGRCV is *SYSTEM  meaning the system will  automatically create a  new
 journal receiver at each IPL.

 You must manage the  deletion of old receivers when  required.  You can
 use WRKJRNA:


            WRKJRNA     JRN(QAUDJRN)

 **********************************************************************
 *                                                                    *
 *                   Work with Journal Attributes                     *
 *                                                                    *
 *  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
 *                                                                    *
 *  Attached receiver  . :   AUD000005       Library  . . . . . . :   *
 *                                                                    *
 *  Text . . . . . . . . :   Audit journal                            *
 *                                                                    *
 *  ASP  . . . . . . . . :   1               Journaled objects:       *
 *  Message queue  . . . :   QSYSOPR           Current  . . . . . :   *
 *    Library  . . . . . :     *LIBL           Maximum  . . . . . :   *
 *  Manage receivers . . :   *SYSTEM         Recovery count . . . :   *
 *  Delete receivers . . :   *NO             Receiver size options:   *
 *  Journal cache  . . . :   *NO                                      *
 *  Manage delay . . . . :   10                                       *
 *  Delete delay . . . . :   10                                       *
 *  Journal type . . . . :   *LOCAL                                   *
 *  Journal state  . . . :   *ACTIVE                                  *
 *  Minimize entry data  :   *NONE                                    *
 *                                                                    *
 *  F3=Exit   F5=Refresh   F12=Cancel   F17=Display attached receiver *
 *  F19=Display journaled objects       F24=More keys                 *
 *                                                                    *
 **********************************************************************

 Press F24  to see more command keys.  The  command key lines would then
 appear as:

 **********************************************************************

 *  F13=Display journaled files        F14=Display journaled access p *
 *  F15=Work with receiver directory   F24=More keys                  *

 **********************************************************************

 Use F15 to see the list of attached receivers.

 After using F15, a display appears such as:

 **********************************************************************
 *                                                                    *
 *                    Work with Receiver Directory                    *
 *                                                                    *
 *  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
 *                                                                    *
 *  Total size of receivers (in kilobytes)  . . . . . . . . . . . :   *
 *                                                                    *
 *  Type options, press Enter.                                        *
 *    4=Delete   8=Display attributes                                 *
 *                                       Attach                       *
 *  Opt  Receiver    Library     Number  Date      Status             *
 *   _   AUD000001   QGPL        00001   12/16/09  SAVED              *
 *   _   AUD000002   QGPL        00002   12/16/09  SAVED              *
 *   _   AUD000003   QGPL        00003   12/16/09  SAVED              *
 *   _   AUD000004   QGPL        00004   12/16/09  ONLINE             *
 *   _   AUD000005   QGPL        00005   12/17/09  ATTACHED           *
 *                                                                    *
 *  Parameters or command                                             *
 *  ===> ___________________________________________________________  *
 *  F3=Exit   F4=Prompt   F5=Refresh   F9=Retrieve   F11=Display size *
 *  F12=Cancel                                                        *
 *                                                                    *
 **********************************************************************

 A delete  option exists  from the  display.   An  inquiry message  will
 appear if you  attempt to delete a  journal receiver that has  not been
 saved.  You cannot delete the currently attached receiver.

 Authorizations to the *JRN and *JRNRCV objects
 ----------------------------------------------

 To  allow a  user profile  like QSYSOPR  to be  able  to use  CHGJRN to
 create  the  next journal  receiver  and to  delete  journal receivers,
 enter:

           GRTOBJAUT   OBJ(QAUDJRN) OBJTYPE(*JRN) USER(QSYSOPR)
                         AUT(*OBJOPR *OBJMGT *UPD)
           GRTOBJAUT   OBJ(AUD000001) OBJTYPE(*JRNRCV) USER(QSYSOPR)
                         AUT(*ALL)

 Note  that this  is  authority  to  the journal  object  and  does  not
 provide *ALLOBJ authority.

 When either  the CRTJRN MNGRCV(*SYSTEM) or  CHGJRN JRNRCV(*GEN) options
 are  used, the system will  generate the new  journal receiver with the
 same authorities as the previous journal receiver.

 You should avoid  giving *ALL authority  to an operator  for a  journal
 object as this will allow the user to display some journal entries.

 System Values
 -------------

 The  system will  cause some  journal entries  to occur  automatically,
 but  most  of the  audit entries  are  optional and  are  controlled by
 system values and commands.

 The system values may  be locked by  SST/DST.  If so,  they need to  be
 unlocked before making changes.

   **   QAUDCTL (Audit  Control).  This  is a  'list type' which  allows
        multiple entries.   You can read the details  of each option but
        a typical set of entries would include:

          --   *AUDLVL  -  Allows the  system  value QAUDLVL  to control
               what is audited.

          --   *OBJAUD  -  Allows  audit  entries  to  occur  for  those
               objects specified by the CHGOBJAUD command.

          --   *NOQTEMP  - Avoids  auditing actions  against objects  in
               QTEMP  which most  users  would consider  excess overhead
               and non-informative.

        You can  change the  QAUDCTL system  value  with CHGSECAUD,  but
        you  should  be  familiar  with   using  the  WRKSYSVAL  command
        directly.

              WRKSYSVAL   SYSVAL(QAUDCTL)

        Use  Option 2 to change  and enter the  values *AUDLVL, *OBJAUD,
        and *NOQTEMP.

        Press Enter  and then  use  Option 5  to  display.   The  values
        should appear as:

                            *AUDLVL
                            *OBJAUD
                            *NOQTEMP

   **   QAUDLVL  and QAUDLVL2.    These are  'list  type' system  values
        which  allow multiple  entries.   The system  originally shipped
        QAUDLVL,  but there was  room for only 16  options so the system
        added QAUDLVL2 with room for  99 options.  It is  recommended to
        set QAUDLVL  to *AUDLVL2  and use the  QAUDLVL2 system  value to
        control auditing:

        You  can   change  the  system  values  with  CHGSECAUD  or  use
        WRKSYSVAL:

              WRKSYSVAL   SYSVAL(QAUDLVL)

        Use Option 2 to change and enter the value *AUDLVL2.

        Press Enter  and  then  use Option  5  to display.    The  value
        should appear as:

                            *AUDLVL2

        The QAUDLVL2  system value will  allow you to  specify different
        kinds  of  options  which  will  cause  journal  entries  to  be
        written.  In  general, it is  very easy to journal  too much  so
        it is  best  to begin  with the  basics until  you get  familiar
        with the process.

        The  minimum you should  consider is  *AUTFAIL which  will cause
        an audit entry when a security violation occurs.

        Use WRKSYSVAL:

              WRKSYSVAL   SYSVAL(QAUDLVL2)

        Use Option 2 to change and enter the value *AUTFAIL.

        Press  Enter  and  then use  Option  5  to display.    The value
        should appear as:

                            *AUTFAIL

 To force  an  audit failure  journal  entry, signon  as  a normal  user
 (without *SECADM special authority) and enter:

            CHGUSRPRF    USRPRF(QSECOFR)

 You should  see a message  that *SECADM is  required.  This  error will
 cause  an auditing  entry if  you requested  *AUTFAIL for  the QAUDLVL2
 system value.

   **   QCRTOBJAUD.  This  important system  value is  discussed in  the
        next section.

 Auditing Specific Objects or Users
 ----------------------------------

 Causing a  journal entry  for auditing  is also  called 'logging'.   If
 you  want to  log various  occurrences,  there are  a few  commands you
 should become familiar with:

      - CHGOBJAUD - Change Object Auditing
                      Controls logging of events on individual objects

      - CHGAUD    - Change auditing
                      Similar to CHGOBJAUD, but typically used to log
                        events to IFS objects such as stream files

      - CHGUSRAUD - Change User Auditing
                      Controls logging of events by individual users

 The CHGOBJAUD OBJAUD  (object auditing value)  parameter describes  the
 type of  logging required  for a  specific object  (the same  parameter
 exists on CHGAUD).  You have a choice of *ALL, *CHANGE, or *USRPRF.

   **   *ALL means any read or change activity.

   **   CHANGE  means  either  the  data  was  changed  or  one  of  the
        attributes of the object was changed.

   **   *USRPRF is described later.

 Note  that using  CHGOBJAUD by  itself may  not cause a  journal entry.
 There are a  set of complex  rules, but typical  auditing of an  object
 requires the system value QAUDCTL to be set for *OBJAUD.

 If you  want to  log any read  or change activity  to the  PAYROLL file
 regardless of the user, you would specify:

          CHGOBJAUD   OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*ALL)

 If you want to log just the change activity, you would specify:

          CHGOBJAUD   OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*CHANGE)

 CHGOBJAUD  will allow you to  set or reset the  auditing value for one,
 generic, or all objects in a library, by library list, etc.

 The other OBJAUD option  is *USRPRF and  works in conjunction with  the
 CHGUSRAUD command.   The *USRPRF option  requests to log  activity only
 when  a  user  profile  that has  been  set  by  the CHGUSRAUD  command
 performs an action.   CHGUSRAUD also provides  for an OBJAUD  parameter
 that determines the type of activity that will cause logging.

 For example,  if you want to  log any change  activity by USER1  to the
 PAYROLL file, you would specify:

          CHGOBJAUD   OBJ(PAYROLL) OBJTYPE(*FILE) OBJAUD(*USRPRF)
          CHGUSRAUD   USRPRF(USER1) OBJAUD(*CHANGE)

 Note  that  you  cannot cause  different  logging  for  a user  profile
 depending  on the object.   It must  be either *CHANGE  or *ALL for all
 objects that specify OBJAUD(*USRPRF).

 The  other  use  of  CHGUSRAUD  is  to  log  specified  actions  for  a
 particular user.   For example, if you want to log  all commands run by
 the QSECOFR profile, you would enter:

               CHGUSRAUD   USRPRF(QSECOFR) AUDLVL(*CMD)

 Specifying  *CMD will log not only  the commands entered interactively,
 but also those  in any CL  programs.  It  can cause  a lot of  logging.
 See  the later  discussion of  'Auditing  *ALLOBJ users'  for some  TAA
 command help'.

 If  you review  the help text  for the  AUDLVL parameter, you  will see
 many of the  same options  that are  available for  the QAUDLVL  system
 value.  If  you had already specified  an option such as  *SECURITY for
 the QAUDLVL  system value, you don't need to  specify it with CHGUSRAUD
 for a specific user.

 CHGUSRAUD  will allow  you to  set the auditing  value for  one or more
 users.

 Another method of causing auditing  of objects is to use  the CRTOBJAUD
 parameter   on  CRTLIB   or  CHGLIB.     The   companion   commands  of
 CRTDIR/MKDIR  can be  used in a  similar manner  to set  auditing for a
 directory.  You  can request  the same  values for an  object of  *ALL,
 *CHANGE, or *USRPRF.   Once you make a change,  any new objects created
 in  the library  (or directory)  will  automatically have  their OBJAUD
 value set as per the library level value.

 The default  on  CRTLIB/CRTDIR/MKDIR  for the  CRTOBJAUD  parameter  is
 *SYSVAL which  refers  to the  system value  QCRTOBJAUD.   This can  be
 used to set the value for all new libraries.

 The  important thing  to note is  that setting  the library  level does
 not affect existing objects.

 You  can determine  the object  auditing value  for an object  by using
 DSPOBJD.  Display the full attributes and use rollup.

 You can  determine the  auditing information  for a  user profile  with
 DSPUSRPRF and several rollup requests.

 IFS Objects
 -----------

 IFS objects  (or library objects) can  be set to start  auditing by use
 of  the CHGAUD command  as described previously.   The  audit value may
 be seen by using  WRKLNK and Option 8.   RTVIFSED2 retrieves the  value
 and DSPIFSED  also displays  the value.   A  special command  DSPIFSAUD
 may be used.  CVTIFS also has the value in the IFAUDT field.


 Audit Entries
 -------------

 Any  logging that occurs creates  a journal entry.   The system command
 that displays the journal entries is DSPJRN:


           DSPJRN       JRN(QAUDJRN)

 **********************************************************************
 *                                                                    *
 *                     Display Journal Entries                        *
 *                                                                    *
 *  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
 *  Largest sequence number on this screen  . . . . . . : 00000000006 *
 *  Type options, press Enter.                                        *
 *    5=Display entire entry                                          *
 *                                                                    *
 *  Opt    Sequence  Code  Type  Object      Library     Job          *
 *   _            1   J     PR                           SCPF         *
 *   _            2   T     AF                           QYPSJSVR     *
 *   _            3   T     AF                           QYPSJSVR     *
 *   _            4   T     ZC                           DSP01        *
 *   _            5   T     ZC                           DSP01        *
 *   _            6   T     ZC                           DSP01        *
 *                                                                    *
 *  F3=Exit   F12=Cancel                                              *
 *                                                                    *
 **********************************************************************

 DSPJRN is a complex command with  lots of options and can be  difficult
 to work with.  The  basic use of the command just  displays the entries
 as they exist in the current journal receiver.

 Each journal  entry is assigned  a 'code', a  'type', and a  'sub type'
 based  on the condition.  A code of 'J'  means it is an entry caused by
 an operation on a journal or journal receiver.

 The typical code  that you will want  to look at  is the 'T' value  for
 auditing  entries.   A type  of 'AF'  indicates an  'authority failure'
 such as  where a user has attempted to  display a secure library.  Type
 ZC indicates an object change.

 Option 5 from  the DSPJRN  display will  let you see  the entire  entry
 which is a string of data.  This can be difficult to interpret.

 **********************************************************************
 *                                                                    *
 *                     Display Journal Entry                          *
 *                                                                    *
 *  Object . . . . . . . :                   Library  . . . . . . :   *
 *  Member . . . . . . . :                                            *
 *  Incomplete data  . . :   No              Minimized entry data :   *
 *  Sequence . . . . . . :   5                                        *
 *  Code . . . . . . . . :   T  - Audit trail entry                   *
 *  Type . . . . . . . . :   ZC - Object change access                *
 *                                                                    *
 *              Entry specific data                                   *
 *  Column      *...+....1....+....2....+....3....+....4....+....5    *
 *  00001      'CAUDLOGP   AUDLOG    *FILE      AUDLOGP           '   *
 *  00051      '                                                  '   *
 *  00101      '                                                  '   *
 *  00151      '                                                  '   *
 *  00201      '                                                  '   *
 *  00251      '                                                  '   *
 *  00301      '                                                  '   *
 *                                                                    *
 *  Press Enter to continue.                                          *
 *                                                                    *
 *  F3=Exit   F6=Display only entry specific data                     *
 *  F10=Display only entry details   F12=Cancel   F24=More keys       *
 *                                                                    *
 **********************************************************************

 An option (F10)  from the detail display  will let you see  the details
 of the job that caused the entry.

 **********************************************************************
 *                                                                    *
 *                          Display Journal Entry Details             *
 *                                                                    *
 *  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
 *                                                                    *
 *  Sequence . . . . . . :   5                                        *
 *  Code . . . . . . . . :   T  - Audit trail entry                   *
 *  Type . . . . . . . . :   ZC - Object change access                *
 *                                                                    *
 *  Object . . . . . . . :                                            *
 *    Type . . . . . . . :                                            *
 *  Date . . . . . . . . :   12/17/09                                 *
 *  Time . . . . . . . . :   14:56:57                                 *
 *  Flag . . . . . . . . :   0                                        *
 *  Count/RRN  . . . . . :   0                                        *
 *  Commit cycle ID  . . :   0                                        *
 *  Nested commit level  :   0                                        *
 *  Job  . . . . . . . . :   001338/QPGMR/DSP01                       *
 *  User profile . . . . :   QPGMR                                    *
 *  Ignore APY/RMV . . . :   No                                       *
 *  Ref constraint . . . :   No                                       *
 *                                                                    *
 *  F3=Exit   F10=Display entry   F12=Cancel   F14=Display previous e *
 *  F15=Display only entry specific data                              *
 *                                                                    *
 **********************************************************************

 The  system supports  a command  to copy  the audit  entries to  a data
 base file:

               CPYAUDJRNE  (added in V5R4)

 By default, the  journal code T  and entry type AF  entries are  copied
 to the QAUDITAF  file in QTEMP.  The  file may then be queried  such as
 with the RUNQRY command:

               RUNQRY       QRY(*NONE) QRYFILE(QAUDITAF)

 There  is also  a command  that will  display  the entries,  but should
 only be used for simple requirements.

               DSPAUDJRNE   ENTTYP(AF) OUTPUT(*)

 This would display the authority failures.

 CPYAUDJRNE  may  also be  used to  help  review different  detail audit
 entries.  See the later section on 'Example of CPYAUDJRNE'.

 Other comments
 --------------

 An important  aspect about the  Audit Journal (or  any *JRN object)  is
 that  it is  a very  secure object.   You  cannot change  or  delete an
 entry.

 But  you do have  to manage the  journal receivers.  You  can save them
 to offline storage before  deleting them if there  is a requirement  to
 be able to review past history.

 You  can  write your  own  entries  to  the  journal with  the  SNDJRNE
 command.

                        TAA Support
                        -----------

 Audit Log
 ---------

 Because  the DSPJRN  and DSPAUDJRNE commands  are not  necessarily easy
 to work with, TAA  provides the AUDLOG tool  to assist.  This  requires
 that the  journal entries be  converted to data  base files where  they
 can be manipulated more easily.

 You begin by creating the AUDLOG data base files such as:

               CRTAUDLOG   AUDLOGLIB(xxx) ENTDTALEN(200)

 Any  library  may be  used.    The AUDLOGP  physical  file and  several
 logical  files will be created.   The ENTDTALEN parameter describes the
 length of  the field  for the entry  data.   You may  describe a  field
 length of 102 to  1000.  This is a fixed length  field.  The longer the
 field,  the larger  the required  space for each  entry in  the AUDLOGP
 file.  The minimum of  102 will not let you  see all of the entry  data
 for some journal entries (the remainder would be truncated).

 It is  possible to start with  an entry of  200 and change to  a longer
 or  shorter  length.    You  would  have  to  use  DLTAUDLOG  and  then
 CRTAUDLOG again.

 To get the  journal entries  out of the  QAUDJRN journal  and into  the
 TAA files,  you  must perform  a conversion.   This  can be  done on  a
 periodic basis or when you need to such as:

               CVTAUDLOG

 The  command is  smart enough to  know what  entries have  already been
 converted  so  it will  just convert  the new  ones.   There is  also a
 separate tool CVTAUDLOG3 which  will allow a conversion as  the entries
 occur.    This requires  more  overhead,  but  allows DSPAUDLOG  to  be
 usable  without a  prior conversion  step.   CVTAUDLOG3 also  allows an
 option that  will  send a  message if  a  specific journal  entry  type
 occurs.

 Once  the  entries  are  converted,  you  can  display  them  with  the
 DSPAUDLOG command:

               DSPAUDLOG

 **********************************************************************
 *                                                                    *
 *                          Audit Log                                 *
 *                                                              12/17 *
 *  Pos to System:   TAASYS13    Date - YYMMDD:  091217    Time  0000 *
 *                                                                    *
 *  Type options, press Enter.                        AUDLOGP library *
 *     5=Display abbreviated entry    7=Display full entry            *
 *                                                                    *
 *  Opt  System       Date       Time   Cde  Ent  Sub  User           *
 *   _   TAASYS13  12/17/09    0:04:17   J   IN        *NONE          *
 *   _   TAASYS13  12/17/09    0:05:21   J   NR        QSYS           *
 *   _   TAASYS13  12/17/09    0:05:21   J   PR        QSYS           *
 *   _   TAASYS13  12/17/09    0:07:51   T   AF    A   QYPSJSVR       *
 *   _   TAASYS13  12/17/09    0:08:04   T   AF    A   QYPSJSVR       *
 *   _   TAASYS13  12/17/09    9:57:16   T   ZC    C   QPGMR          *
 *   _   TAASYS13  12/17/09    9:57:17   T   ZC    C   QPGMR          *
 *                                                                    *
 *  F3=Exit    F6=PRTAUDLOG    F9=Change -Pos To- order    F12=Cancel *
 *  F17=Code descriptions                                             *
 *                                                                    *
 **********************************************************************

 DSPAUDLOG  provides a  subfile  display of  the entries.    The default
 display occurs in 'date' order.

 You can use F9 to change the order to display by job, or user, etc.

 After entering F9, you would see the following:

 **********************************************************************
 *                                                                    *
 *                  Audit Log - Change -Position To Order             *
 *                                                                    *
 *  The access path in use is in order by *DATE                       *
 *                                                                    *
 *  New order   ________                                              *
 *                                                                    *
 *  Description                                                       *
 *                                                                    *
 *     *DATE        By System, Date, Time                             *
 *     *CODE        By System, Code, Entry Type, Date, Time           *
 *     *USER        By System, User, Date, Time                       *
 *     *JOB         By System, Job, Date, Time                        *
 *     *CODESUB     By System, Code, Entry Type, Sub Type, Date, Time *
 *                                                                    *
 *  F12=Cancel                                                        *
 *                                                                    *
 **********************************************************************

 You can use  the input  fields at  the top  of the  subfile display  to
 position to an entry.

 Option 5  from  the subfile  display lets  you  see the  details of  an
 entry.   This is a simpler  display to review than  the DSPJRN version,
 but the entry data can still be confusing.

 **********************************************************************
 *                                                                    *
 *                Audit Log - Detail Record Display                   *
 *                                                           12/17/09 *
 *  Entry date and time . . :   12/17/09  at  9:57:16                 *
 *  Journal code  . . . . . :   T  =  Audit                           *
 *  Entry type  . . . . . . :   ZC       Sub entry type = C           *
 *  Entry type/subtype text :   Change of an object                   *
 *  User  . . . . . . . . . :   QPGMR                                 *
 *  Qualified job name  . . :   DSP01        QPGMR        001316      *
 *  System name . . . . . . :   TAASYS13                              *
 *  Journal sequence number :            4                            *
 *  Program causing entry . :   TAASEDSR2                             *
 *  Object/Library/Member . :                                         *
 *  Data length . . . . . . :      689                                *
 *  Entry data  . . . . . . :   CAUDLOGP   AUDLIB    *FILE      AUDLO *
 *                                                                    *
 *  F3=Exit     F6=DSPDBFDTA     F12=Cancel      Press Enter to conti *
 *                                                                    *
 **********************************************************************

 Each  journal entry code and  type supported by the  system has a model
 data base  file  in QSYS.    The  F6 option  takes  the data  from  the
 journal entry  and maps it onto  the model file  definition provided by
 the  system.   This is not  a perfect  solution, but  does help explain
 the entry.

 After using F6, you would see:

 **********************************************************************
 *                                                                    *
 *               TAA Display DBF Data       File:  QSYS/QASYZCJ4      *
 *    Text:  Outfile for journal entry type ZC             12/17/09   *
 *  Type options, press Enter.        Format:   QASYZCJ4    Record im *
 *     5=Display                                                      *
 *          C - Change of an object                                   *
 *  Opt  Field text description                     Value             *
 *       Name of object                             AUDLOGP           *
 *       Library name                               AUDLIB            *
 *       Object type                                *FILE             *
 *       Type of access                             30                *
 *       Object data                                AUDLOGP           *
 *       Not used                                                     *
 *       Object name length                         0                 *
 *       Object name CCSID                          0                 *
 *       Object name region ID                                        *
 *       Object name language ID                                      *
 *       Not used                                                     *
 *       Parent directory file ID                                     *
 *       Object file ID                                               *
 *       Object name                                                  *
 *                                                                    *
 *  F3=Exit    F12=Cancel                                             *
 *                                                                    *
 **********************************************************************

 There is also  a PRTAUDLOG command  which can be  used to list  entries
 such as:

          PRTAUDLOG    JRNCDE((T AF))

 An alternative  to DSPAUDLOG  and PRTAUDLOG  is the  SCNAUDLOG command.
 SCNAUDLOG  allows normal  type  of selection  for such  fields  as job,
 date, time,  user,  etc, but  also  allows a  scan  of the  entry  data
 field.

 Most of  the 'T' audit  entries do not  update the object  data portion
 of  a journal  entry.   Instead, the  object name  is within  the entry
 data.   Consequently, you  cannot use DSPJRN,  CPYAUDJRNE, or DSPAUDLOG
 to find the entries that  were caused by use or change of  a particular
 object.   If you  were auditing  any changes to  the PAYROLL  file, you
 could enter:

         SCNAUDLOG  SEARCH(PAYROLL)

 and  see all the  entries that had  the value PAYROLL  within the entry
 data.  By default, a display  appears that is similar to the  DSPAUDLOG
 display.  A print option also exists.

 While the AUDLOG tool  makes it easier to work  with the audit entries,
 it is  not as safe as  the journal.  Because data  base files are used,
 it is possible to change an  entry.  You should minimize this  exposure
 by limiting the number of users who can change the file.

 You can also log any changes to the AUDLOGP file by specifying:

              CHGOBJAUD   OBJ(AUDLOGP) OBJTYPE(*CHANGE)

 When CHGOBJAUD is  used, an entry is created  with a code of 'T'  and a
 type of  'AD'.  When CVTAUDLOG is  run, there will be an  entry of code
 'T'  with a type  of 'ZC'.  If  you display the  details of this entry,
 it will tell  you the  program TAASEDSR2 in  TAATOOL (the program  used
 by CVTAUDLOG) made the change.

 You could use SCNAUDLOG to find the entries such as:

         SCNAUDLOG  SEARCH(AUDLOGP)

 This  may  help  convince  an  auditor  that  the  AUDLOGP  is  a  true
 representation of the QAUDJRN journal.

 To delete old audit log entries that are no longer needed, use:

          MTNAUDLOG   RTNDAYS(30)

 This will delete any entries that are older than 30 days.

 Getting ready for an audit
 --------------------------

 No  two auditors will  want the  same information to  perform an audit.
 Either you or they  will need standard  system or TAA functions  and/or
 the need to write specific programs or queries.

 A  good  tool  for  you  to consider  before  the  auditor  arrives  is
 PRTSECAUD.   It  will print  a variety of  things you  should consider.
 Be sure you understand the option CHKSAMPWD (Check same password).

 Other good tools are:

   **   AUDLOG -  Allows a  simpler approach  to working  with  auditing
        entries.

   **   SCNAUDLOG  - Provides  a  scan  of the  entry  data which  is  a
        significant help when dealing with auditing entries.

   **   DSPSECRVW -  Allows you to  play with the user  profiles such as
        selecting all those with special authorities.

   **   DSPOBJAUD  - Describes  the object  auditing for  objects set by
        CHGOBJAUD or the CRTOBJAUD function of CRT/CHGLIB.

   **   DSPUSRAUD -  Describes  the auditing  of  user profiles  set  by
        CHGUSRAUD.

   **   CAPSECINF -  Captures the major  security values and  allows you
        to compare against a prior version.

   **   CHGUSRAUD2  - Similar to CHGUSRAUD, but  prompts for the current
        values which makes it easier to make a change.

   **   DSPAUDRCD - Displays the last  audit entry for a specific  user.

 For a review  of all of the  audit tools in the  TAA Productivity Tools
 product, do

         DSPTAACAT CATEGORY(*AUD)

 For  a review  of all  of the  security tools  in the  TAA Productivity
 Tools product, do

         DSPTAACAT CATEGORY(*SEC)

 For a review  of all of  the journaling tools  in the TAA  Productivity
 Tools product, do

         DSPTAACAT CATEGORY(*JRN)

 Example of CPYAUDJRNE
 ---------------------

 In some cases you may  want a listing of a specific  set of information
 from designated Audit entry types.

 The records  stored in the  TAA Audit Log  file are effective  when you
 want  basic information.   If  you are  looking for some  very specific
 data and  want  comparisons of  previous activity,  there  is a  better
 solution with the system command CPYAUDJRNE.

 CPYAUDJRNE runs  against the QAUDJRN  journal which means that  you may
 have  to keep the audit journal  online for the period  of time you are
 interested in reviewing.

 As an  example of how  to understand  and use  CPYAUDJRNE, assume  that
 you want to know when users were enabled or disabled.

 The first  step is to cause  auditing for this function  (the following
 assumes you have set QAUDLVL to *AUDLVL2):

              WRKSYSVAL    QAUDLVL2

 Add an  entry for *SECCFG if it is not  already there.  This will cause
 audit entries for any changes to user  profiles as well as a few  other
 functions.

 To  ensure that  you  have  some audit  entries  to review,  issue  the
 following for some test user profile:

              CHGUSRPRF    USRPRF(xxx) STATUS(*DISABLED)
              CHGUSRPRF    USRPRF(xxx) STATUS(*ENABLED)
              CHGUSRPRF    USRPRF(xxx) STATUS(*DISABLED)
              CHGUSRPRF    USRPRF(xxx) PTYLMT(9)

 You can  display the Audit  Journal to see  the entries (use  a current
 date and a time when you started CHGUSRPRF).

              DSPJRN       JRN(QAUDIT) FROMTIME(date time)

 You should see the audit entries for:

              Journal code   T
              Entry type     CP

 If  you use Option 5  to display the details, you  should see the entry
 specific data with the  changes you made.   The data is just  a string.
 It  is intended to  be mapped  onto a  a model  file that  contains the
 fields  for the  CP  Entry Type  (Each Entry  Type  has a  unique model
 file).

 If you are using  the TAA AUDLOG tool, the  detail display of an  entry
 allows the  use of F6  to display the  data.   This is effective  for a
 single audit  entry, but not if you want  to review several entries (if
 you want to see the entries you  previously made, you will need to  use
 CVTAUDLOG  to convert  the journal  into  the data  base  file used  by
 AUDLOG).

 To see the format without the AUDLOG tool, use the TAA Tool:

               DSPJRNCDE

 Position to  the T Journal Code and  rollup to the CP entry.   Then use
 Option 7 to display the 'T format'.

 At  the  top  of  the display,  you  can  see the  model  file  name is
 QASYCPJn and the  format name is  the same.  (For  the CD entries,  the
 model file  is QASYCDJn).   You can  roll thru the  fields to  see that
 the  CPSTAT   field  will  contain  the  status  information  that  was
 changed.

 CPYAUDJRNE will create a file using this format.

 You begin by using the command  for a specific Journal Entry type  (the
 sub type  is not used  and only  Audit entries -  Journal Code =  T are
 converted by CPYAUDJRNE).

              CPYAUDJRNE   ENTTYP(CP) OUTFILE(xxx/QAUDIT)
                             JRNRCV(*CURCHAIN)

 Using  *CURCHAIN is  important  the first  time you  make  a conversion
 because this  will search  all receivers  in  the chain.   If  you  are
 going  to periodically  add  to the  file,  you will  want  to use  the
 FROMTIME parameter for subsequent uses.

 Note that  CPYAUDJRNE supports the ability  to add to a  file using the
 OUTMBR  option.  If you are  going to analyze the  data, you have to be
 careful  you don't  copy  entries  that  have already  been  copied  or
 replace those  that you  want to retain.   It may  be desirable  to use
 CPYF after CPYAUDJRNE to a more permanent file for review purposes.

 CPYAUDJRNE  appends the  type to  the file  name.   Thus the  file name
 that is created is QAUDITCP.   (the file name for the CD entries  would
 b

 You can display the data with the TAA command:

              PRTDB    FILE(xxx/QAUDITCP)

 A sub file  will be displayed of the  fields in the format and  you can
 place an X in those you are interested in such as:

              CPTSTP     Timestamp of entry
              CPUSER     User profile that made the change
              CPONAM     User profile that was changed
              CPPTYL     Priority limit
              CPSTAT     Status

 Press  Enter and the  selected fields move  to the top  of the display.
 The 'Sel' field  allows you to  change the order,  but assume you  want
 the  same order  to  be  listed  as it  appears  in  the subfile.    By
 default, the  field names are used for the  column headings.  An option
 exists to use the DDS column headings instead.

 Note  that if you are  only interested in the  changes to the status of
 the profile, the change to  the PTYLMT function will also appear.   The
 CP  entry  will  also  have  changes for  new,  deleted,  and  restored
 profiles.

 Any  Query can be  used to process  the QAUDITCP file.   You may prefer
 to do a select/sort by prompting for the TAA command:

              SORTDBF

 Enter the From file and a To  file to write the records to.  To  select
 the CPSTAT field not equal to blanks, enter

              SELFLD((CPSTAT *NE *BLANKS)

 and then a keyfield such as the user profile that was changed:

              KEYFLD((CPONAM))

 The final command would thus look like:

              SORTDBF  FROMFILE(xxx/QAUDITCP)
                         TOFILE(xxx/AUDITCP)
                         SELFLD((CPSTAT *NE *BLANKS)
                         KEYFLD((CPONAM))

 The output file will have the selected sorted data.

 You may  use PRTDB again  for the  listing or you  may need to  write a
 special program against the new file.

 Auditing *ALLOBJ users
 ----------------------

 One  of the concerns of  any system is  that there must  be some number
 of users who  have *ALLOBJ special  authority.  You  cannot prevent  an
 *ALLOBJ user  from  doing anything  on the  system, but  you can  audit
 what they have done.

 Of specific  interest may be  a question like 'What  commands have they
 entered?'.

 The  system supports the  AUDLVL(*CMD) option to  provide audit records
 for commands  entered by  a  user.   Any commands  run by  sub-programs
 also generate audit  records.  If *ALLOBJ users perform  a lot of work,
 this can generate a large number of audit records.

 The  TAA DSPAUDCMD function can assist  you in reviewing these records.
 It allows options  to bypass the commands  entered in sub-programs  and
 to review by a time period, by job, or by program.

 If *ALLOBJ users  are frequently signed on  and perform a lot  of work,
 the   number  of  audit   records  produced  may   be  beyond  anyone's
 capability to review.  A periodic  audit that is unannounced may be  an
 effective method of checking.

Added to TAA Productivity Tools March 21, 2008


Home Page

Last modified on March 10, 2014 © 1995, 2014 - TAA Tools, Inc.