|
Thanks, Ed. I think that by looking the job type and filtering out benign commands, I can create a usable audit report. Mark Garton Information Systems O'Reilly Auto Parts message: 11 date: Thu, 3 Nov 2005 08:31:52 -0600 from: Ed Fishel <edfishel@xxxxxxxxxx> subject: Re: Auditing Command Line Usage Mark Garton wrote on 11/02/2005 06:07:36 PM: > Is there a way to know if the command was executed from the command line? The short answer is No, there is no way to prove that a command came from a command line. You can however, eliminate several that came from other places. Take a look at both the CD and JS audit records. When a job starts the Job Type and Job Subtype fields of the JS record will indicate that the job is an interactive job or not. You can then collect the names of the interactive jobs and use them to decide which of the CD journal entries were from interactive jobs. Unfortunately this will not tell you if the commands came from a command line or not. They could be coming from a menu or one of the program interfaces used to run a CL command. The Program Name field at offset 81 of the *TYPE5 journal entry may be of some help; if you recognize the name of the program and understand how it runs commands. If I remember correctly, this field will contain the name of the top user state program (or service program) in the program stack at the time the audit record is written. So if program ABC calls QCMD and the user runs a command from that command entry screen the Program Name field will be ABC. The audit records for commands that come from a command line will look the same as those that come from a UIM menu or work with panel such as the one produced by WRKACTJOB. You may be able to guess that some of them did not come from a command line because they are library qualified with things like *SYSTEM/WRKJOB or *NLVLIBL/CHGJOB but even that will not be full proof if the users knows they are being audited and wants to confuse you. Ed Fishel, edfishel@xxxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.