Re: Wayne Evans' LOGCMD

Steve MxKay wrote on 05/02/2008 10:16:32 AM:

The program uses SNDJRNE to write a user-defined journal entry (type LC)

to

QAUDJRN, it does not write a "CD" audit record at all. Command auditing

is

turned on by
(1) using the AUDLVL parm of RTVUSRPRF to get the current audit level
(2) calling QSYSGETPH to get the profile handle
(3) changing the audit level of the profile with CHGUSRAUD
(4) calling QWTSETP to set the handle
(5) calling QSYRLSPH to release the handle.

So I'm looking for the audited commands in QAUDJRN. I find any commands
entered from the QCMD command line but none entered after a command with
it's own command line (WRKACTJOB) until the user returns to QCMD via
F3/F12/etc.

The LOGCMD program would not be writing the CD audit records because the
system will do that for you if auditing is turned on and if *CMD auditing
is specified for the user profile. I would not trust any audit records
written to the security audit journal by the SNDJRNE command. For example,
a devious programmer could change a program to write fake LC audit records
to indicate another user used a command that they did not use.

If you are not seeing the CD audit records then it sounds to me like
security auditing is not turned on, or the LOGCMD program does not
correctly turn on *CMD auditing for the current job, or perhaps the trick
to swap to the current user profile to pick up user profile changes does
not work for CHGUSRAUD changes. Please use DSPSECAUD to verify that
security auditing is turned on for your system. If not you can use
CHGSECAUD to turn it on.

The LOGCMD program will not log commands entered on a WRKACTJOB command
line because it never sees those commands. The system sees them so it will
write CD audit records for them if auditing is on and *CMD auditing is
turned on for the user.

Ed Fishel,
edfishel@xxxxxxxxxx