× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2017

Re: Auditing Program Calls

We have a partner who signs on to our system. Our VP was wanting to know
which functions they are actually using. A TRCJOB won't work since it's a
"What did they do last week?" type of thing. We use CL menus. I noticed
from my initial review that some programs which I knew were being called
weren't being reported.

Thanks for your time.


Gord

On Tue, Mar 28, 2017 at 3:13 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

I agree that you should be seeing those 'Y' entries. Based on the "Where
run" shown by me and Mark Waterbury at
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_
73/rzarl/rzarlf10.htm
You may wish to open a Service Request on that.

IDK if TRCJOB would work for you.

I'm not sure why you are doing this. Is this something which may be
addressed by the new 7.3
<snip>
What's new for IBM i 7.3
Read about new or significantly changed information for the Security
reference topic collection.
A new capability that is called Authority Collection has been added to the
base operating system. This
support assists the security administrator and application provider in
securing the objects in an
application with the lowest level of authority that is required to allow
the application to run successfully. The goal of authority collection is
to increase the security of the objects within the application. New CL
commands, Start Authority Collection (STRAUTCOL), End Authority Collection
(ENDAUTCOL), and
Delete Authority Collection (DLTAUTCOL), and a new SQL view,
QSYS2.AUTHORITY_COLLECTION,
are provided in support of this new enhancement
</snip>
https://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_
73/rzarl/sc415302.pdf?view=kc


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Gord Hutchinson <gordm1@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/28/2017 02:28 PM
Subject: Re: Auditing Program Calls
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Yes, I read your entire reply. And I apologize if my response was
unclear. I left out one key word in my first sentence. You are correct,
I
want a list of what programs and objects were called by this user. I
would
rather not change the auditing for all the programs and commands on the
system. The amount of logging will be huge.

My question was why the CD shows a program being called from a command
line
but not if the program is called from within another program. The 'Where
Run' in the CD entry tells me (if I read it right) where the program was
called. It doesn't tell me why a CD isn't written. I would expect one to
be written with a 'Y' in the Where Run field.


Gord




On Tue, Mar 28, 2017 at 1:02 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

But, in the long reply did you notice that I showed you a way to see if
a
set of programs were called?
Perhaps you did but were concentrating instead on why using the CD
records
weren't working?
You are the one who made comments on that you didn't want to see source.
This led me to believe that you didn't read the rest of it.

I went through some effort to show you how, exactly, I got those entries
to display. I used bare minimum source and showed you it solely so that
you could see both CALLs being logged.
And what do I hear but
<snip>
I do not really care what programs or commands were. The point is not
what was called but the fact that something was called. I want a report
of all programs and commands called. Including system commands.
</snip>
This is highly confusing. For example should this
I do not really care what programs or commands were.
be
I do not really care what <the> programs or commands were.
or
I do not really care what programs or commands were <called>.

and
<snip>
The point is not what was called but the fact that something was called.
</snip>
Are you asking for a list which shows
CALL ...
CALL ...
CALL ...
CALL ...
CALL ...
and literally just the three dots?

And then you say
<snip>
I want a report of all programs and commands called.
</snip>
I showed you how to do that by using CHGOBJAUD to turn on auditing for
those programs and commands.
And how to read it by using CPYAUDJRNE for the ZR audit types.

And, what do I get in return?
<snip>
I do not really care...
</snip>


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Gord Hutchinson <gordm1@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 03/28/2017 12:20 PM
Subject: Re: Auditing Program Calls
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I appreciate your help Rob but your snide remarks are not helpful at
all.

On Tue, Mar 28, 2017 at 12:04 PM, Rob Berendt <rob@xxxxxxxxx> wrote:

Ok, I realize I had several characters in there. Let me cut it down.

<snip>
I want a report of all programs and commands called. Including system
commands.
</snip>

To get such a list requires that you start object auditing on every
thing
you want in the list. See CHGOBJAUD.

Then you have to get the appropriate entries. See CPYAUDJRNE. I
suggest
doing the *ALL once. This helped me limit it down to the ZR entries.

If you just want one particular step, like all the stack used when
someone
executes a particular program, then you could try TRCJOB.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Gord Hutchinson <gordm1@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Date: 03/28/2017 11:50 AM
Subject: Re: Auditing Program Calls
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I do not really care what programs or commands were. The point is not
what
was called but the fact that something was called. I want a report of
all
programs and commands called. Including system commands.

On Tue, Mar 28, 2017 at 11:24 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

ZR (Read of Object) journal entries

Let me step through this

GORD1
PGM
CALL GORD2
SNDMSG MSG(GORD1) TOUSR(*REQUESTER)
ENDPGM

GORD2
PGM
SNDMSG MSG(GORD2) TOUSR(*REQUESTER)
ENDPGM

CHGOBJAUD OBJ(ROB/GORD*) OBJTYPE(*PGM) OBJAUD(*ALL)
CALL GORD1

QSYS/CPYAUDJRNE ENTTYP(ZR)
FROMTIME(032817 1113)
TOTIME(032817 1116)

WRKF QTEMP/QAUDIT*
QAUDITZR

RUNQRY QRYFILE(QTEMP/QAUDITZR)
Object Library Object
name name type
GORD1 ROB *PGM
GORD2 ROB *PGM

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Gord Hutchinson <gordm1@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Date: 03/28/2017 10:58 AM
Subject: Re: Auditing Program Calls
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I did RTM! A CD is written to the audit journal when a program is
called
from a command line.

The same command string when executed within a CL program does NOT
write
the CD entry.

On Tue, Mar 28, 2017 at 10:52 AM, Rob Berendt <rob@xxxxxxxxx> wrote:

RTM
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_73/
rzaki/rzakijournalfinderall2.htm

A CD entry is "change was made for a command string".

Try CHGOBJAUD


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: Gord Hutchinson <gordm1@xxxxxxxxxxxxxxx>
To: Midrange Systems Technical Discussion
<midrange-l@xxxxxxxxxxxx>
Date: 03/28/2017 10:39 AM
Subject: Auditing Program Calls
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I've been trying to report on the commands and programs a user
calls
on
our
7.1 systems. *CMD auditing is turned on for the users in
question.

When a program is called from the command line I see the CD entry
for
the
CALL in QAUDJRN. If that program calls a second program, I do not
see
a
second CD entry. If the program calls a command, the CD for the
command
is
QAUDJRN.

i.e. CALL PGMA writes a CD entry for the call.

If PGMA does a call to PGMB and then calls cmd DSPSYSSTS there is
no
CD
entry for the call of PGMB but there is one for DSPSYSSTS.

Is this expected behaviour or am I missing a setting somewhere?

Thanks,


Gord



--
Gord Hutchinson
TST Overland Express
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD




--
Gord Hutchinson
TST Overland Express
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L)
mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our
affiliate
link: http://amzn.to/2dEadiD




--
Gord Hutchinson
TST Overland Express
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD




--
Gord Hutchinson
TST Overland Express
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD




--
Gord Hutchinson
TST Overland Express
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: http://amzn.to/2dEadiD





As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.