Well, you're certainly right that the security might not be set properly...and it has not changed in at least 10 years and even though it's overkill I'm not going to tell management that.
-----Original Message-----
From: Charles Wilt <charles.wilt@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Sent: Mon, Aug 15, 2011 9:34 am
Subject: Re: Audit of usrprf's
Just my .02....
Seems like overkill.
The only reason to audit everything for a user, is when the profile
an do everything...ie. *ALLOBJ profiles. Those profiles should be
sed on a limited basis.
Since this profile doesn't *ALLOBJ, if your security setup is good,
here should be a limited amount of approved things the user can do.
ow you might have a handful of things that you allow the user to do,
ut that you want to audit...touching certain files or using certain
ommands...
Auditing everything a non *ALLOBJ user does just seems to me that you
on't trust your current security setup. Personally, I'd fix that.
Charles
On Mon, Aug 15, 2011 at 9:21 AM, <fbocch2595@xxxxxxx> wrote:
Hi Folks, I want to audit everything a user does on our IBMi. I'm wondering
ow you folks would approach it. Everything means everything, all the commands
he usrprf enters and all objects the usrprf touches, whether updating or not.
The user is a developer/programmer w/a user class of *PGMR, spcaut = *JOBCTL
nd lmtcpb = *NO. I read Steve M’s article and I’m following it and I’ve got;
QAUDCTL set to *AUDLVL/*NOQTEMP/ *OBJAUD.
QAUDLVL set to *SECURITY/*JOBDTA/*DELETE/*PGMADP/*AUTFAIL/*PGMFAIL/*SERVICE/*CREATE/*OBJMGT/*SAVRST/*SYSMGT/*PRTDTA/*SPLFDTA.
I’ve set CHGUSRAUD OBJAUD(*ALL) and AUDLVL on CHGUSRAUD set to many of the
alues the command allows.
Next, I’m going to have to use CHGOBJAUD OBJAUD=*USRPRF on thousands of
bjects.
That looks like all there is to it…has anyone gone thru this procedure and if
o, how did it work for you? It looks like all I have to do after that is
eport on the audit journal entries and disk space is not an issue for us.
Has anyone else done this or doing it currently? Any words of wisdom to
hare?
I can not get approval for 3rd party software (PowerLock/Pentasafe, etc.) as
f yet and not sure if I’ll ever get approval for it.
Any input/info on this appreciated.
Thanks, Frank
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
http://archive.midrange.com/midrange-l.
-
his is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
o post a message email: MIDRANGE-L@xxxxxxxxxxxx
o subscribe, unsubscribe, or change list options,
isit:
http://lists.midrange.com/mailman/listinfo/midrange-l
r email: MIDRANGE-L-request@xxxxxxxxxxxx
efore posting, please take a moment to review the archives
t
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.