Peter Vidal wrote on 06/27/2007 10:04:04 AM:
"What release are you running on?" V5R3.
What is your objective?
Audit the activity in a specific folder, lets call it "DIT". There is a
predefined group of people accessing it and I want to now who, when,
what,
kind of information about the objects affected. There is a very important
project we are running and we want to have documentation o the activity
here.
What do you plan to do with the physical file containing all the journal
data?
I was hoping to have the physical file with all the data I need so I can
run daily queries over it and check for stuff like changes, object
authority modifications, etc.
"As I said before if you mess with ("mess with" is a technical term for
read, display, copy, write, lock, etc) this journal or its receivers you
could cause problems for the iTera product (and therefore also your
backup
system)."
You are right. I do not want to mess up iTera. If doing DSPJRN will
affect this, I will not do it. I was just hoping for a way that I can
easily access this information and be able to document the activity in
this "DIT" folder and document this in any way I wanted to do it .
It sounds to me like you should be using the security audit journal to
collect most of this information. It should give you all the information
you are requesting except if you need to see individual records changed
within specific stream files. The only way to see the records would be to
actually journal the stream files. I am a security person and not a journal
person. It is my understanding that it is possible that your access of the
iTera journal could cause problems for that type of application.
If you do not know how to set up security auditing you can find directions
in the archives and in the V5R3 Information Center. There is also lots of
information in Chapter 9 and Appendix F of the Security Reference manual.
My recommendation is to not copy all the different types of audit records
to one physical file. Instead use the DSPJRN command to copy the different
types of audit records to individual files. This will allow you to use a
query tool (or an RPG program) to query the individual files.
Commands to collect ZC (change object) audit records:
CRTDUPOBJ OBJ(QASYZCJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) ENTTYP(ZC) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE(QTEMP/QASYZCJ5)
Commands to collect AF (authority failure) audit records:
CRTDUPOBJ OBJ(QASYAFJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) ENTTYP(AF) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE(QTEMP/QASYAFJ5)
Commands to collect CA (authority changes) audit records:
CRTDUPOBJ OBJ(QASYCAJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) ENTTYP(CA) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE(QTEMP/QASYCAJ5)
You will probably also want to collect the audit records for: CO (Create
Object), DO (Delete Object), LD (Link, unlink, or look up directory entry),
OM (Object move or rename), OR (Object restore), OW (Object ownership
changed), PG (Change of an object’s primary group), RA (Authority change
during restore) RO (Change of object owner during restore), RZ (Changing a
primary group during restore), and ZR (Read of Object for some access types
including 46=Save). Just change the xx in the following commands to the
type of audit record.
CRTDUPOBJ OBJ(QASYxxJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
DSPJRN JRN(QSYS/QAUDJRN) ENTTYP(xx) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5)
OUTFILE(QTEMP/QASYxxJ5)
Ed Fishel,
edfishel@xxxxxxxxxx
midrange.com
