Re: Auditing Command Line Usage

Mark Garton wrote on 11/02/2005 06:07:36 PM:

>  Is there a way to know if the command was executed from the command
line?

The short answer is No, there is no way to prove that a command came from a
command line. You can however, eliminate several that came from other
places.

Take a look at both the CD and JS audit records. When a job starts the Job
Type and Job Subtype fields of the JS record will indicate that the job is
an interactive job or not. You can then collect the names of the
interactive jobs and use them to decide which of the CD journal entries
were from interactive jobs.

Unfortunately this will not tell you if the commands came from a command
line or not. They could be coming from a menu or one of the program
interfaces used to run a CL command. The Program Name field at offset 81 of
the *TYPE5 journal entry may be of some help; if you recognize the name of
the program and understand how it runs commands. If I remember correctly,
this field will contain the name of the top user state program (or service
program) in the program stack at the time the audit record is written. So
if program ABC calls QCMD and the user runs a command from that command
entry screen the Program Name field will be ABC.

The audit records for commands that come from a command line will look the
same as those that come from a UIM menu or work with panel such as the one
produced by WRKACTJOB. You may be able to guess that some of them did not
come from a command line because they are library qualified with things
like *SYSTEM/WRKJOB or *NLVLIBL/CHGJOB but even that will not be full proof
if the users knows they are being audited and wants to confuse you.

Ed Fishel,
edfishel@xxxxxxxxxx