Of course, QIBM_QCA_RTV_COMMAND can be used to monitor the offending commands, 
and SNDJRNE or QJOSJRNE to send a U journal entry to qaudjrn. 
Now all that is left to do is to have a correlation engine that will recognize 
a modification pattern.....
I still prefer having a a native as400 audit of the change variables commands.

  ----- Original Message ----- 
  From: Shalom Carmel 
  To: security400@xxxxxxxxxxxx 
  Sent: Sunday, July 02, 2006 8:10 PM
  Subject: Re: STRSRVJOB and database journal entries,

  I looked at the level of detail provided by the audit journal. 
  It says that a strsrvjob command was executed on job X by user Y. 
  As Ed pointed out, you must have *SERVICE in the auditing definitions or even 
this information is omitted.
  On the other side of the issue, let's see what does *USE authority to user 
profiles mean.

  a. A user with *ALLOBJ has *USE authority to all user profiles.
  b. A user who is the owner of the user profile can grant herself *USE 
authority if she does not have it already.
  c. A user has automatic *USE to the group profile that she belongs to.
  d. QSYSOPR does not need *USE authority.

  Considering the common practices in most as400 shops, I would feel much 
better if CHGPGMVAR, CHGPTR and their kin were also logged to the audit journal 
under some code, or if the database journal had an indication of being created 
in a debug session. 


As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.