TAA Tools


 The  Display User  Commands  command  displays  the audit  records  for
 commands run  by a user that is  specified with CHGUSRAUD AUDLVL(*CMD).
 DSPUSRCMD  is intended  for use on  critical security  profiles such as
 QSECOFR and QSRV to allow  a review of the commands that  were entered.
 The Journal  Code T (Audit) records  with an Entry Type  of CD (command
 was run) are processed using the CPYAUDJRNE outfile.

 You must have *ALLOBJ authority to use DSPUSRCMD.

 If  you  have  not already  setup  the QAUDJRN  journal,  see  the tool
 AUDITING for a discussion.

 Assume you  want to  check the  commands entered  by  the QSECOFR  user
 profile.  Begin by ensuring the audit level is set correctly.


 Roll  to the  value  'Action  auditing values'.    It  should at  least
 specify '*CMD'.  If not, enter the following:


 After  some commands have been  entered by QSECOFR, you  may review the
 commands with:


 A listing  would be  displayed  of all  the  commands entered  for  all
 existing journal entries in QAUDJRN.

 The profile  QSECOFR is used  in several system  jobs such as  QSRVMON.
 You  can  eliminate the  commands  run in  specifically  named jobs  or
 using  a  generic  name  to  eliminate  system  jobs  by  entering  Q*.
 However,  this would  not  find the  commands  entered  by a  user  who
 signed on as QSECOFR and submitted a job name that began with Q.

 Options also exist to:

   **   Process based on a start date/time and an end date/time.

   **   List the  commands run in CL  programs if called from  a command
        line  or  run via  a  command  processing program  (either  by a
        system or user command).

   **   Scan for the use  of a command such  as CRTUSRPRF whether it  is
        run on a command line or via a CL program.

 Using a different Security Officer profile

 Because the  system use  of QSECOFR  complicates the  use of  reviewing
 commands, some  users may prefer to use  a separate profile when acting
 as the Security Officer.

 For example, you could create  the QSECOFR2 profile and cause  auditing

                           TEXT('Second security officer')


 This would  allow  secure commands  to be  entered  using QSECOFR2  and
 displayed with DSPUSRCMD.

 You  cannot set  the QSECOFR  password to  *NONE.   However,  you could
 prevent  the  interactive  use of  QSECOFR.    You should  not  do this
 unless you have another profile  that can reset the profile  if needed.
 To prevent the use of QSECOFR from signing on, enter:


 While  this will  make  the use  of  DSPUSRCMD for  a  profile such  as
 QSECOFR2  easier to review,  it is not  a perfect solution  to ensure a
 check of all commands run as a Security Officer.

 For  example,  there  may  be  pre-existing  programs  that  adopt  the
 QSECOFR profile,  that run various functions.   There are  several such
 programs  within  TAATOOL  and the  system  also  uses this  technique.
 While TAATOOL  and system  functions offer  security control  of  these
 types of functions, user written programs may not be so secure.

 In  addition,  any  *ALLOBJ  user  can  bypass  many  of  the  security
 checking functions provided by the system.

 The use  of a second Security  Officer will not eliminate  the need for
 good system security.

 DSPUSRCMD escape messages you can monitor for

       TAA9892    The user profile is not specified to audit commands
       TAA9893    There were no audit records for the selection criteria

 TAA9893  is sent either because the  use of CPYAUDJRNE found no records
 (no  spooled file  will  exist)  or because  the  selection  processing
 after  the use  of  CPYAUDJRNE did  not  find any  entries  to list  (a
 spooled file will exist).

 Escape messages from based on functions will be re-sent.

 DSPUSRCMD Command parameters                          *CMD

    USRPRF        The  user  profile to  list  audit records  for.   The
                  user must  be specified  using CHGUSRAUD  AUDLVL(*CMD)
                  to create audit records for commands entered.

    FROMDATE      The  From date  and time  to  select journal  entries.
                  Both  values  default to  *FIRST for  the  first audit
                  entry found  in  QAUDJRN.   A  specific date  (in  job
                  format) or  the special value  *TODAY may  be entered.
                  A specific time in HHMMSS format may be entered.

    TODATE        The  To  date  and  time  to select  journal  entries.
                  Both  values  default  to  *LAST  for  the  last audit
                  entry found  in  QAUDJRN.   A  specific date  (in  job
                  format) or  the special  value *TODAY may  be entered.
                  A specific time in HHMMSS format may be entered.

    CLPGM         A  *YES/*NO value for whether the  commands run from a
                  CL program should  be listed.   The  CL program  could
                  be   called  directly   or   called   via  a   command
                  processing program from a system or user command.

                  *NO is the default to not list these commands.

                  *YES  may be  specified to  list  the commands.   Only
                  the object  name,  type,  and library  (not  the  full
                  command that was run) are listed.

    SCANVAL       The value  to be  scanned for  in either the  commands
                  that were  run from a  command line or  the object and
                  library  names  of the  commands run  in a  CL Program
                  (requires  CLPGM(*YES)).    For  example,  this  would
                  allow the  scanning for the  use of a command  such as
                  CRTUSRPRF or the keyword PASSWORD.

                  *NONE is the default meaning no scan occurs.

                  A  string of  up  to 20  bytes may  be entered.   Note
                  that scanning  the commands  run in  a  CL program  is
                  only effective on the command name and library.

                  Both the  SCANVAL and  the command  are translated  to
                  upper case before comparing.

    BYPJOB        A  list of up  to 300 job  names or generic  job names
                  that will be bypassed.

                  *NONE is the default  meaning all jobs are  processed.

                  When  a user  profile  such as  QSECOFR  is used,  the
                  system  runs several jobs  under this profile  such as
                  QSRVMON.   Bypassing specific jobs  names or a generic
                  name such as  Q* can reduce  the size of the  listing,
                  but does  not prevent  a QSECOFR user  from submitting
                  a job name beginning with Q from being bypassed.

                  See  the  previous  discussion  about  how  to  use  a
                  different profile for entering secure commands.

    OUTPUT        How to  output  the results.    *  is the  default  to
                  display the  spooled file  if the  command is  entered
                  interactively.   The spooled file  is deleted after it
                  is displayed.

                  If the  command  is  entered in  batch  or  *PRINT  is
                  specified, the  spooled file  is output and  retained.


 You must have *ALLOBJ authority to use DSPUSRCMD.

 You must have the QAUDJRN operational.

 The user profile specified, must be set to at least AUDLVL(*CMD).


 The following TAA Tools must be on your system:

      CHKALLOBJ       Check *ALLOBJ special authority
      CHKGENERC       Check generic
      CVTTIM          Convert time
      EDTVAR          Edit variable
      EXTLST          Extract list
      EXTLST2         Extract list 2
      RTVDAT          Retrieve date
      RTVSYSVAL3      Retrieve system value 3
      SCNVAR          Scan variable
      SNDCOMPMSG      Send completion message
      SNDESCINF       Send escape information
      SNDESCMSG       Send escape message
      SNDSTSMSG       Send status message
      TRNVAL          Translate value


 None, the tool is ready to use.

 Objects used by the tool

    Object        Type    Attribute      Src member    Src file
    ------        ----    ---------      ----------    ----------

    DSPUSRCMD     *CMD                   TAASEIN       QATTCMD
    TAASEINC      *PGM       CLP         TAASEINC      QATTCL
    TAASEINR      *PGM       RPGLE       TAASEINR      QATTRPG
    TAASEINP      *FILE      PF

 The  TAASEINP file is  created by  duplicating the QASYCDJ5  model file
 in QSYS.

Added to TAA Productivity Tools July 15, 2010

Home Page

Last modified on November 19, 2014 © 1995, 2014 - TAA Tools, Inc.