Steve McKay wrote on 05/01/2008 10:58:27 AM:
I have a copy of Wayne Evans' LOGCMD program/command. This allowsspecified
non-admin users to gain *ALLOBJ authority and records the commands theystays
enter to QAUDJRN by acquiring a user profile handle, turning on *CMD
auditing on the user profile, and processing the entered commands as
messages from the external message queue. This works well if the user
on the QCMD screen that is initially displayed. If the user enters someof
command that has it's own command line (WRKACTJOB, for instance), any
commands entered on that command line do not get recorded in QAUDJRN.
Does someone know of a way to correct this behavior or of another method
giving users (on-call programmers, actually) a way to respond to problems*ALLOBJ
which would require *ALLOBJ authority without actually giving them
on their user profile?
I do not believe that I have ever seen the source for Wayne's LOGCMD
program and I have never used that program. (Also I could not find the
source when I looked on the internet.) From your description I can make a
few guesses about what the program is doing. The help text for CHGUSRAUD
indicates that the changes take effect the next time a job is started for
the user. Years ago Wayne showed me a trick that would cause changes to a
user profile to be effective right away. The trick was to swap user
to the same profile (but not using *CURRENT). This causes the changes to
picked up in the current job. I do not know if this works for all
attributes of a user profile but it does work for some. So this explains
why the profile handle was used to swap user profiles after *CMD auditing
was turned on for the user profile.
I have placed commands on an external message queue and then run them by
calling QCMD. I can also explain why that trick does not work for command
lines like the one on WRKACTJOB. What I can't explain is why the LOGCMD
program does this. Using an external message queue would not help the
auditing of the commands to the security audit journal. Are you sure that
CD (Command String) audit record is written to the security audit journal
for every command written under LOGCMD except for the ones entered on
commands lines than QCMD? That does not make any sense. Once command
auditing is on for a user, every command they enter should be audited.
commands from within CL programs they use will be audited, but sometimes
not all command parameters will be placed in the audit journal. Is it
possible that you are looking for the audited commands in the external
message queue instead of the security audit journal?
I believe that one or more of the more popular security vendors have
products similar to what you are looking for.