× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Le 04/05/2022 à 16:46, Greg Wilburn a écrit :
As you can see... there's a bit more than just ZR & ZC entries.

Not looking for a solution here... just odd, since it shouldn't be doing this based on what I've read.
I can still try to help :-)

System value . . . . . : QAUDLVL
Description . . . . . : Security auditing level
Auditing Auditing
options options
*NONE
------------------------------------------------------------

System value . . . . . : QAUDCTL
Description . . . . . : Auditing control
Auditing
control
*OBJAUD
*OBJAUD here drives ZC/ZR entries. There will be one for objects with audit attribute either set to *CHANGE/*ALL or set to *USRPRF *and* accessed by a user profile with object audit attribute set to *CHANGE/*ALL.
*NOQTEMP
*AUDLVL
If you want to remove all auditing, you have to set QAUDCTL to *NONE.
------------------------------------------------------------

Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
Largest sequence number on this screen . . . . . . : 00000000000000002436
Type options, press Enter.
5=Display entire entry
Opt Sequence Code Type Object Library Job Time
2425 T CA IT01A 17:45:17
2426 T CA IT01A 17:45:17
2427 T OW IT01A 17:45:21
2428 T CA IT01A 17:45:21
2429 T CA IT01A 17:45:21
2430 T CA IT01A 17:45:21
2431 T OW IT01A 17:45:25
2432 T CA IT01A 17:45:25
2433 T CA IT01A 17:45:25
2434 T CA IT01A 17:45:25

I never wondered which QAUDCTL/QAUDLVL/QAUDLVL2 setting drives CA (Change Authority) and OW (Change Ownership) entries. Now that I look at the documentation, I find none which explicitly drives them. My assumption now is that they come also with *OBJAUD in QAUDCTL. Unfortunately, I have no way to check my assumption. Those entries might also come for user profiles with audit level attribute (AUDLVL) including *SECRUN.

In the sequences you provide above, I believe that the OW and then the three subsequent CA are related to the same operation. They are due to the creation of an object by a user profile set with GRPPRF(someprofile) and OWNER(*GRPPRF). For each creation, there should be one OW entry for object ownership swap from the individual user profile to the groupe profile and several CA entries to remove individual user profile authority and add group profile authority. However, I find strange that the columns Object and Library are empty in your report, because this behavior of OW and CA applies to QSYS file system, and not to the other file systems under / (root). The detail of each entry would definitively help to conclude.

2435 T ZC EDISR5 19:00:05
2436 T ZC EDISR5 19:00:05



-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Marc Rauzier
Sent: Tuesday, May 3, 2022 4:20 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: QAUDJRN

Le 03/05/2022 à 21:17, Greg Wilburn a écrit :
So I'm ready to turn this thing off... Actually, I already have.

I changed QAUDCTL to *NONE, but because my QAUDJRN was setup with MNGRCV(*SYSTEM) it creates a new receiver each morning when we IPL.
That's the normal behavior of journal management. You should only see
entries related to journal and receivers management, such as new
receiver created and attached, previous receiver detached, journal and
receivers backed up... This cannot use a lot of disk space. If you
specify DLTRCV(*YES) for AUDJRN journal, you will have only one receiver
in the chain, even if it is not really a recommended setup for QAUDJRN
journal. If you do no longer want to use audit (well, this is not really
recommended nowadays) and do not want to manage the journal, you can
delete it then delete the receivers.
BUT, according to IBM there shouldn’t be anything in the receiver file. There are definitely ZC entries.
Unless I am wrong, ZC/ZR entries come with QAUDCTL system value set with
*OBJAUD. So that is quite strange if they are still here when QAUDCTL is
set to *NONE. Are you sure that those ZC entries are *after* QAUDCTL was
set to *NONE?
I'm so frustrated right now... why would IBM give you something that has the potential to EAT DISK SPACE at an alarming rate, yet not provide any "cleanup" tools that aren't supplied "AS-IS". Yet we are supposed to turn this on??
Audit journal needs to be properly managed. Normally, you may want to
backup then delete the receivers and keep the backup long enough to
comply with security rules which require the ability to analyse them in
case of security failure. If you do not want to create tools for that, I
suggest you to look at some commercial software. Security becomes more
and more a key topic nowadays.
FWIW, the DB2 Web Query folks came back and said to turn off auditing on the directory (and subtree) that is generating 99.7% of the AF entries.
As far as I know, you cannot do that. There is no directory or file or
object attribute which prevents Authority Failures entries in audit
journal. As soon as QAUDLVL(2) system value includes *AUTFAIL, the
system will log *all* authority failures. This will always be a matter
for security administrator to solve them with setting up appropriate
authority. My 2 cents.
Is this really worth all the effort?

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2023 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.