RE: What is causing a user profile to be disabled?

Gary - I'm trying to understand your answer about *RMTADR

<quote> If you have QAUDJRN configured with the fixed length data value
*RMTADR the ip address will be captured. You should be able to find out who
it is from that.</quote>

From the Knowledge Center for cmd CRTJRN

.RCVSIZOPT(*MINFIXLEN) and FIXLENDTA cannot be used for the system security
audit journal QSYS/QAUDJRN. Journal entries in the security audit journal
are required to contain all possible data that could be used for auditing
purposes.

I've looked at QAUDJRN on several systems at a couple releases and none had
the FIXLENDTA.
I do worry about systems that move from release to release over many years
if missing new options for existing stuff. Always ready the Memo to Users
and now the TR stuff.

Jim Franz


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Monnier, Gary
Sent: Friday, July 24, 2015 1:16 PM
To: Midrange Systems Technical Discussion
Subject: RE: What is causing a user profile to be disabled?

If you have QAUDJRN configured with the fixed length data value *RMTADR the
ip address will be captured. You should be able to find out who it is from
that.

Gary Monnier


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Glenn
Gundermann
Sent: Friday, July 24, 2015 10:01 AM
To: Midrange Systems Technical Discussion
Subject: Re: What is causing a user profile to be disabled?

Thanks Gary, this was very useful.
This confirms it is happening from an FTP job.

From job . . . . . . . . . . . : QTFTP00026

User . . . . . . . . . . . . : QTCP

Number . . . . . . . . . . . : 673856


I fouind three jobs that ran 5 minutes apart and each one had an invalid
password. The third job disabled the user profile.


How can I find who/what is submitting these jobs?

A WRKJOB on any of these jobs tells me nothing.


Thanks again for all assistance.



Yours truly,

Glenn Gundermann
Email: glenn.gundermann@xxxxxxxxx
Work: (416) 675-9200 ext. 89224
Cell: (416) 317-3144


On 24 July 2015 at 12:03, Monnier, Gary <Gary.Monnier@xxxxxxxxx> wrote:

Have you checked QAUDJRN for password failure entries? Use journal
code T entry type PW. Position 1 in the entry specific data shows the
violation type and starting in position 2 is the user profile job user
where the failure occurred. You can find the complete layout in
appendix F of the security reference manual.

Types of failures are...

A APPC bind failure.
C User authentication with the CHKPWD command failed.
D Service tools user ID name not valid.
E Service tools user ID password not valid.
P Password not valid.
Q Attempted signon (user authentication) failed because user profile
is disabled.
R Attempted signon (user authentication) failed because password was
expired.
This audit record might not occur for some user authentication
mechanisms.
Some authentication mechanisms do not check for expired passwords.
S SQL Decryption password is not valid.
U User name not valid.
X Service tools user ID is disabled.
Y Service tools user ID not valid.
Z Service tools user ID password not valid

Gary Monnier

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
Glenn Gundermann
Sent: Friday, July 24, 2015 7:59 AM
To: Midrange Systems Technical Discussion
Subject: What is causing a user profile to be disabled?

Hi folks,

Is there a way to find out what is causing a user profile to be disabled?

I suspect it's an FTP process from another server that is causing this.

When I press Help on CPF1393 in QHST, there is very little information.
device *N
network address *N
subsystem QSYSWRK

This is happening several times each day. What's funny is that nobody
is complaining about a process not working but obviously if they have
the wrong password something has got to be failing.

Any guidence would be appreciated.

Yours truly,

Glenn Gundermann
Email: glenn.gundermann@xxxxxxxxx
Work: (416) 675-9200 ext. 89224
Cell: (416) 317-3144
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take
a moment to review the archives at
http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.