Ed -

I've played with this most of the day and have come to the conclusion that
you're correct - Wayne's trick of swapping to the same user profile without
specifying *CURRENT has probably been PTFed and no longer works. Here is
the code in question:

CALL PGM(QSYGETPH) PARM(&USER '*NOPWD' &LOGCMD)
CHGUSRAUD USRPRF(&USER) AUDLVL(&AUDLVL)
CALL PGM(QWTSETP) PARM(&LOGCMD)
CALL PGM(QSYRLSPH) PARM(&LOGCMD)

&USER comes from an earlier RTVUSRPRF RTNUSRPRF(&USER) AUDLVL(&AUDLVL)
&AUDLVL is changed to contain the string '*CMD'
&LOGCMD is just a 12 character field to hold the handle.

When I execute this part of the program followed by a call to QCMD, the
&USER user profile (my user profile) has *CMD as an "auditing action" but
subsequent commands entered do not show up in QAUDJRN. If I immediately
sign off and back on, all commands entered after sign on are logged to
QAUDJRN, so it appears that the warning in CHGUSRAUD about changes not
taking effect until another job is started for the user is being enforced.

Do I have other options without setting everyone's profile auditing action
to *CMD or executing the *SPENDMONEY (RIP Al B.) command?

Thanks,

Steve



"Ed Fishel" <edfishel@xxxxxxxxxx> wrote in message
news:mailman.1072.1209733290.26483.security400@xxxxxxxxxxxxxxx
Steve McKay wrote on 05/01/2008 10:58:27 AM:

I have a copy of Wayne Evans' LOGCMD program/command. This allows
specified
non-admin users to gain *ALLOBJ authority and records the commands they
enter to QAUDJRN by acquiring a user profile handle, turning on *CMD
auditing on the user profile, and processing the entered commands as
messages from the external message queue. This works well if the user
stays
on the QCMD screen that is initially displayed. If the user enters some
command that has it's own command line (WRKACTJOB, for instance), any
commands entered on that command line do not get recorded in QAUDJRN.

Does someone know of a way to correct this behavior or of another method
of
giving users (on-call programmers, actually) a way to respond to problems
which would require *ALLOBJ authority without actually giving them
*ALLOBJ
on their user profile?

I do not believe that I have ever seen the source for Wayne's LOGCMD
program and I have never used that program. (Also I could not find the
source when I looked on the internet.) From your description I can make a
few guesses about what the program is doing. The help text for CHGUSRAUD
indicates that the changes take effect the next time a job is started for
the user. Years ago Wayne showed me a trick that would cause changes to a
user profile to be effective right away. The trick was to swap user
profile
to the same profile (but not using *CURRENT). This causes the changes to
be
picked up in the current job. I do not know if this works for all
attributes of a user profile but it does work for some. So this explains
why the profile handle was used to swap user profiles after *CMD auditing
was turned on for the user profile.

I have placed commands on an external message queue and then run them by
calling QCMD. I can also explain why that trick does not work for command
lines like the one on WRKACTJOB. What I can't explain is why the LOGCMD
program does this. Using an external message queue would not help the
auditing of the commands to the security audit journal. Are you sure that
a
CD (Command String) audit record is written to the security audit journal
for every command written under LOGCMD except for the ones entered on
other
commands lines than QCMD? That does not make any sense. Once command
auditing is on for a user, every command they enter should be audited.
Even
commands from within CL programs they use will be audited, but sometimes
not all command parameters will be placed in the audit journal. Is it
possible that you are looking for the audited commands in the external
message queue instead of the security audit journal?

I believe that one or more of the more popular security vendors have
products similar to what you are looking for.

Ed Fishel,
edfishel@xxxxxxxxxx




This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2020 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].