× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Rob: Very interesting.

Are you looking for any job "DUMMY" runs, or just active jobs? I've watched
the thread but from a distance, and I don't remember the original question.

I'm looking to build a similar thing but had not thought of using the audit
journal, rather the history log. This might be a better approach, or a
combination of the two.....

--
Jim Oberholtzer
Agile Technology Architects

-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Wednesday, July 10, 2019 6:51 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Auditing users with elevated privileges.

I opened up a ticket with IBM. Apparently it is documented that *USRPRF
objects are immune to many of the stuff of object auditing. They
specifically listed DSPUSRPRF for one. I'll give IBM the benefit of the
doubt here that they have valid reasons, like a lot of performance hit or
some such thing. That, and they gave me an acceptable alternative.
CHGUSRAUD USRPRF(DUMMY) OBJAUD(*ALL) AUDLVL(*JOBDTA *NETSCK)
Tried:
- 5250
- ftp
- NetServer
And it caught them all
SELECT journal_code, journal_entry_type, "CURRENT_USER", "JOB_NAME",
"JOB_USER", "JOB_NUMBER", PROGRAM_NAME, PROGRAM_LIBRARY, PATH_NAME, OBJECT,
OBJECT_TYPE, REMOTE_ADDRESS, REMOTE_PORT, ENTRY_TIMESTAMP
FROM TABLE (QSYS2.Display_Journal(
JOURNAL_LIBRARY => 'QSYS',
JOURNAL_NAME => 'QAUDJRN',
STARTING_RECEIVER_LIBRARY => 'QGPL',
STARTING_RECEIVER_NAME => '*CURCHAIN',
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 20 minutes
)) X
WHERE
(OBJECT_TYPE = '*USRPRF' and OBJECT = 'DUMMY QSYS')
or "CURRENT_USER"='DUMMY' or "JOB_USER"='DUMMY';

I rearranged the columns to stick with pertinent data CURRENT_USER,
JOB_NAME, JOB_USER, REMOTE_ADDRESS
ROB ROBHQ1 ROB 10.10.9.30
DUMMY QPADEV0004 DUMMY 10.10.6.128
DUMMY QPADEV0004 DUMMY 10.10.6.128
DUMMY QTFTP00037 QTCP 10.10.6.128
DUMMY QTFTP00037 QTCP 10.10.6.128
DUMMY QTFTP00037 QTCP 10.10.6.128
DUMMY QTFTP00037 QTCP 10.10.6.128
DUMMY QZLSFILE QPGMR -
DUMMY QZLSFILE QPGMR 10.10.6.128

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Tuesday, July 9, 2019 10:20 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: Auditing users with elevated privileges.

Upon testing it was discovered that simply using a user profile, like
logging on to a 5250 session with it, does not count as an action which
would be considered a read or a change. Then again DSPUSRPRF of that user
profile does not count as a read operation either.
DSPOBJD
Object . . . . . . . : DUMMY
Library . . . . . : QSYS
Library ASP device . : *SYSBAS
Type . . . . . . . . : *USRPRF
Auditing/Integrity information:
Object auditing value . . . . . . . : *ALL


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Rob
Berendt
Sent: Monday, July 8, 2019 4:33 PM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Auditing users with elevated privileges.

Please no vendor plugs as I am wishing to resolve this on my own.

I can easily retrieve user profiles with elevated privileges from
qsys2.user_info.
To see whether or not all use of that user profile is audited I can join
that to object_statistics.

I want to find out all jobs which use that user profile. So even if a job
like 148345/QUSER/QRWTSRVR is using one of these user profiles I want to
know about it.
So I guess what I need to do is
1: Determine the users with elevated privileges.
2: If not already done then CHGOBJAUD OBJ(...) OBJTYPE(*USRPRF)
OBJAUD(*ALL) Once I've done this then later on I can do something like:
SELECT journal_code, journal_entry_type, "CURRENT_USER", "JOB_NAME",
"JOB_USER", "JOB_NUMBER", PROGRAM_NAME, PROGRAM_LIBRARY, PATH_NAME, OBJECT,
OBJECT_TYPE, REMOTE_ADDRESS, REMOTE_PORT
FROM TABLE (QSYS2.Display_Journal(
JOURNAL_LIBRARY => 'QSYS',
JOURNAL_NAME => 'QAUDJRN',
STARTING_RECEIVER_LIBRARY => 'QGPL',
STARTING_RECEIVER_NAME => '*CURCHAIN',
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS
)) X
WHERE OBJECT_TYPE = '*USRPRF'
and journal_entry_type<>'ZC'; -- Don't want to know about password changes,
etc

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related questions.

Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.