Of course, QIBM_QCA_RTV_COMMAND can be used to monitor the offending commands, and SNDJRNE or QJOSJRNE to send a U journal entry to qaudjrn. Now all that is left to do is to have a correlation engine that will recognize a modification pattern..... I still prefer having a a native as400 audit of the change variables commands. Shalom ----- Original Message ----- From: Shalom Carmel To: security400@xxxxxxxxxxxx Sent: Sunday, July 02, 2006 8:10 PM Subject: Re: STRSRVJOB and database journal entries, I looked at the level of detail provided by the audit journal. It says that a strsrvjob command was executed on job X by user Y. As Ed pointed out, you must have *SERVICE in the auditing definitions or even this information is omitted. On the other side of the issue, let's see what does *USE authority to user profiles mean. a. A user with *ALLOBJ has *USE authority to all user profiles. b. A user who is the owner of the user profile can grant herself *USE authority if she does not have it already. c. A user has automatic *USE to the group profile that she belongs to. d. QSYSOPR does not need *USE authority. Considering the common practices in most as400 shops, I would feel much better if CHGPGMVAR, CHGPTR and their kin were also logged to the audit journal under some code, or if the database journal had an indication of being created in a debug session. Shalom
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.