× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. May 2022

Re: QAUDJRN

The CA and OW entries would not be generated with the configuration you show
below.

When were those entries created? Places a 5 by them, then press F15 to get
more detail. It had to have been before you turned auditing off. Actually
from what you show below, auditing is still on just is a very limited way.

Consider auditing just for authority failures. Then if you're seeing a lot
of AF entries, do some research and fix the authority issues. If the number
of entries is so high, turn auditing on for just 15 minutes.

While this would not be the recommended setting, it would allow you to
identify and fix a serious issue while keeping disk usage under control.

Try these settings.

CHGSECAUD QAUDCTL(*AUDLVL *NOQTEMP)
CHGSYSVAL SYSVAL(QAUDLVL) VALUE(*AUTFAIL)
CHGSYSVAL SYSVAL(QAUDLVL2) VALUE(*NONE)

Use the following query to identify the job that is causing the AF entries.

SELECT
VIOLATION_TYPE, VIOLATION_TYPE_DETAIL, USER_NAME, JOB_NAME,
JOB_USER, JOB_NUMBER, PROGRAM_LIBRARY, PROGRAM_NAME,
REMOTE_ADDRESS, OBJECT_LIBRARY, OBJECT_NAME, OBJECT_TYPE, PATH_NAME
FROM TABLE(
SYSTOOLS.AUDIT_JOURNAL_AF(
STARTING_TIMESTAMP => CURRENT TIMESTAMP - 1 DAY))
WHERE PATH_NAME IS NOT NULL

I've seen many times where the Journal receivers created by auditing started
chewing up disk space. When that happened, there was always a job that was
in a loop, and it was frequently due to an authority issue. The problem
would have gone unnoticed if it were not for auditing.

It's also a good idea to have some system monitoring process in place to
check for available disk space and/or the number of journal receivers used
by auditing.

There are of course other things to consider when auditing. Saving and
deleting the Audit Receivers, what Library to save the receivers in, a
couple other System Values.

The information available by auditing is amazing, especially if you need it.
Turning auditing off is not the best solution.

message: 2
date: Wed, 4 May 2022 14:46:56 +0000
from: Greg Wilburn <gwilburn@xxxxxxxxxxxxxxxxxxxxxxx>
subject: RE: QAUDJRN

As you can see... there's a bit more than just ZR & ZC entries.

Not looking for a solution here... just odd, since it shouldn't be doing
this based on what I've read.

System value . . . . . : QAUDLVL
Description . . . . . : Security auditing level


Auditing Auditing
options options
*NONE

------------------------------------------------------------

System value . . . . . : QAUDCTL
Description . . . . . : Auditing control


Auditing
control
*OBJAUD
*NOQTEMP
*AUDLVL

------------------------------------------------------------

Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
Largest sequence number on this screen . . . . . . : 00000000000000002436
Type options, press Enter.
5=Display entire entry


Opt Sequence Code Type Object Library Job Time
2425 T CA IT01A 17:45:17
2426 T CA IT01A 17:45:17
2427 T OW IT01A 17:45:21
2428 T CA IT01A 17:45:21
2429 T CA IT01A 17:45:21
2430 T CA IT01A 17:45:21
2431 T OW IT01A 17:45:25
2432 T CA IT01A 17:45:25
2433 T CA IT01A 17:45:25
2434 T CA IT01A 17:45:25
2435 T ZC EDISR5 19:00:05
2436 T ZC EDISR5 19:00:05



-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Marc
Rauzier
Sent: Tuesday, May 3, 2022 4:20 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: QAUDJRN

Le 03/05/2022 ? 21:17, Greg Wilburn a ?crit?:
So I'm ready to turn this thing off... Actually, I already have.

I changed QAUDCTL to *NONE, but because my QAUDJRN was setup with
MNGRCV(*SYSTEM) it creates a new receiver each morning when we IPL.
That's the normal behavior of journal management. You should only see
entries related to journal and receivers management, such as new receiver
created and attached, previous receiver detached, journal and receivers
backed up... This cannot use a lot of disk space. If you specify
DLTRCV(*YES) for AUDJRN journal, you will have only one receiver in the
chain, even if it is not really a recommended setup for QAUDJRN journal. If
you do no longer want to use audit (well, this is not really recommended
nowadays) and do not want to manage the journal, you can delete it then
delete the receivers.
BUT, according to IBM there shouldn?t be anything in the receiver file.
There are definitely ZC entries.
Unless I am wrong, ZC/ZR entries come with QAUDCTL system value set with
*OBJAUD. So that is quite strange if they are still here when QAUDCTL is set
to *NONE. Are you sure that those ZC entries are *after* QAUDCTL was set to
*NONE?

I'm so frustrated right now... why would IBM give you something that has
the potential to EAT DISK SPACE at an alarming rate, yet not provide any
"cleanup" tools that aren't supplied "AS-IS". Yet we are supposed to turn
this on??
Audit journal needs to be properly managed. Normally, you may want to backup
then delete the receivers and keep the backup long enough to comply with
security rules which require the ability to analyse them in case of security
failure. If you do not want to create tools for that, I suggest you to look
at some commercial software. Security becomes more and more a key topic
nowadays.

FWIW, the DB2 Web Query folks came back and said to turn off auditing on
the directory (and subtree) that is generating 99.7% of the AF entries.
As far as I know, you cannot do that. There is no directory or file or
object attribute which prevents Authority Failures entries in audit journal.
As soon as QAUDLVL(2) system value includes *AUTFAIL, the system will log
*all* authority failures. This will always be a matter for security
administrator to solve them with setting up appropriate authority. My 2
cents.

Is this really worth all the effort?
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com

------------------------------


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.