TAA Tools
AUDITING        SYSTEM AUDITING                            TAAAUDA

This is a  documentation member only  to help understand the  basics of
auditing  on  the system  and  some of  the  helpful TAA  Tools.   This
provides  an overview  and some simple  examples of how  to get started
with auditing.

There are  many  advanced functions  supported by  the  system and  TAA
which are not discussed.

                   System Auditing Support

Audit Journal

The system  provides for  the Audit Journal  QAUDJRN.  The  system will
send  journal entries to the  journal based on what  you want to audit.
The journal must be created in order to be used.

The system provides  a simple command  (CHGSECAUD) to start  journaling
and set the basic  system values, but to understand  the concepts it is
better to issue the individual commands.

Before  creating  QAUDJRN, you  must  first create  a  journal receiver
such as:

            CRTJRNRCV  JRNRCV(xxx/AUD000001)
                         TEXT('QAUDJRN receiver')

You should place the receiver in  a library that is normally backed  up
on a  daily basis such  as QGPL  (do not place  it in  QSYS).  Using  a
generic  name such  as  AUD000001  allows the  system  to automatically
generate   the  next  name  on  each   IPL  or  with  CHGJRN  (see  the
JRNRCV(*GEN) option).   If AUD000001 is  the current journal  receiver,
AUD000002 would be the next generated journal receiver name.

Once  the  journal  receiver  is  created, you  can  create  the  Audit

           CRTJRN      JRN(QSYS/QAUDJRN)
                         TEXT('Audit Journal')

The  QAUDJRN journal must be created in  library QSYS.  The default for
MNGRCV is *SYSTEM  meaning the system will  automatically create a  new
journal receiver at each IPL.

You must manage the  deletion of old receivers when  required.  You can

           WRKJRNA     JRN(QAUDJRN)

*                                                                    *
*                   Work with Journal Attributes                     *
*                                                                    *
*  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
*                                                                    *
*  Attached receiver  . :   AUD000005       Library  . . . . . . :   *
*                                                                    *
*  Text . . . . . . . . :   Audit journal                            *
*                                                                    *
*  ASP  . . . . . . . . :   1               Journaled objects:       *
*  Message queue  . . . :   QSYSOPR           Current  . . . . . :   *
*    Library  . . . . . :     *LIBL           Maximum  . . . . . :   *
*  Manage receivers . . :   *SYSTEM         Recovery count . . . :   *
*  Delete receivers . . :   *NO             Receiver size options:   *
*  Journal cache  . . . :   *NO                                      *
*  Manage delay . . . . :   10                                       *
*  Delete delay . . . . :   10                                       *
*  Journal type . . . . :   *LOCAL                                   *
*  Journal state  . . . :   *ACTIVE                                  *
*  Minimize entry data  :   *NONE                                    *
*                                                                    *
*  F3=Exit   F5=Refresh   F12=Cancel   F17=Display attached receiver *
*  F19=Display journaled objects       F24=More keys                 *
*                                                                    *

Press F24  to see more command keys.  The  command key lines would then
appear as:


*  F13=Display journaled files        F14=Display journaled access p *
*  F15=Work with receiver directory   F24=More keys                  *


Use F15 to see the list of attached receivers.

After using F15, a display appears such as:

*                                                                    *
*                    Work with Receiver Directory                    *
*                                                                    *
*  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
*                                                                    *
*  Total size of receivers (in kilobytes)  . . . . . . . . . . . :   *
*                                                                    *
*  Type options, press Enter.                                        *
*    4=Delete   8=Display attributes                                 *
*                                       Attach                       *
*  Opt  Receiver    Library     Number  Date      Status             *
*   _   AUD000001   QGPL        00001   12/16/09  SAVED              *
*   _   AUD000002   QGPL        00002   12/16/09  SAVED              *
*   _   AUD000003   QGPL        00003   12/16/09  SAVED              *
*   _   AUD000004   QGPL        00004   12/16/09  ONLINE             *
*   _   AUD000005   QGPL        00005   12/17/09  ATTACHED           *
*                                                                    *
*  Parameters or command                                             *
*  ===> ___________________________________________________________  *
*  F3=Exit   F4=Prompt   F5=Refresh   F9=Retrieve   F11=Display size *
*  F12=Cancel                                                        *
*                                                                    *

A delete  option exists  from the  display.   An  inquiry message  will
appear if you  attempt to delete a  journal receiver that has  not been
saved.  You cannot delete the currently attached receiver.

Authorizations to the *JRN and *JRNRCV objects

To  allow a  user profile  like QSYSOPR  to be  able  to use  CHGJRN to
create  the  next journal  receiver  and to  delete  journal receivers,

                        AUT(*OBJOPR *OBJMGT *UPD)

Note  that this  is  authority  to  the journal  object  and  does  not
provide *ALLOBJ authority.

When either  the CRTJRN MNGRCV(*SYSTEM) or  CHGJRN JRNRCV(*GEN) options
are  used, the system will  generate the new  journal receiver with the
same authorities as the previous journal receiver.

You should avoid  giving *ALL authority  to an operator  for a  journal
object as this will allow the user to display some journal entries.

System Values

The  system will  cause some  journal entries  to occur  automatically,
but  most  of the  audit entries  are  optional and  are  controlled by
system values and commands.

The system values may  be locked by  SST/DST.  If so,  they need to  be
unlocked before making changes.

  **   QAUDCTL (Audit  Control).  This  is a  'list type' which  allows
       multiple entries.   You can read the details  of each option but
       a typical set of entries would include:

         --   *AUDLVL  -  Allows the  system  value QAUDLVL  to control
              what is audited.

         --   *OBJAUD  -  Allows  audit  entries  to  occur  for  those
              objects specified by the CHGOBJAUD command.

         --   *NOQTEMP  - Avoids  auditing actions  against objects  in
              QTEMP  which most  users  would consider  excess overhead
              and non-informative.

       You can  change the  QAUDCTL system  value  with CHGSECAUD,  but
       you  should  be  familiar  with   using  the  WRKSYSVAL  command


       Use  Option 2 to change  and enter the  values *AUDLVL, *OBJAUD,
       and *NOQTEMP.

       Press Enter  and then  use  Option 5  to  display.   The  values
       should appear as:


  **   QAUDLVL  and QAUDLVL2.    These are  'list  type' system  values
       which  allow multiple  entries.   The system  originally shipped
       QAUDLVL,  but there was  room for only 16  options so the system
       added QAUDLVL2 with room for  99 options.  It is  recommended to
       set QAUDLVL  to *AUDLVL2  and use the  QAUDLVL2 system  value to
       control auditing:

       You  can   change  the  system  values  with  CHGSECAUD  or  use


       Use Option 2 to change and enter the value *AUDLVL2.

       Press Enter  and  then  use Option  5  to display.    The  value
       should appear as:


       The QAUDLVL2  system value will  allow you to  specify different
       kinds  of  options  which  will  cause  journal  entries  to  be
       written.  In  general, it is  very easy to journal  too much  so
       it is  best  to begin  with the  basics until  you get  familiar
       with the process.

       The  minimum you should  consider is  *AUTFAIL which  will cause
       an audit entry when a security violation occurs.

       Use WRKSYSVAL:


       Use Option 2 to change and enter the value *AUTFAIL.

       Press  Enter  and  then use  Option  5  to display.    The value
       should appear as:


To force  an  audit failure  journal  entry, signon  as  a normal  user
(without *SECADM special authority) and enter:


You should  see a message  that *SECADM is  required.  This  error will
cause  an auditing  entry if  you requested  *AUTFAIL for  the QAUDLVL2
system value.

  **   QCRTOBJAUD.  This  important system  value is  discussed in  the
       next section.

Auditing Specific Objects or Users

Causing a  journal entry  for auditing  is also  called 'logging'.   If
you  want to  log various  occurrences,  there are  a few  commands you
should become familiar with:

     - CHGOBJAUD - Change Object Auditing
                     Controls logging of events on individual objects

     - CHGAUD    - Change auditing
                     Similar to CHGOBJAUD, but typically used to log
                       events to IFS objects such as stream files

     - CHGUSRAUD - Change User Auditing
                     Controls logging of events by individual users

The CHGOBJAUD OBJAUD  (object auditing value)  parameter describes  the
type of  logging required  for a  specific object  (the same  parameter
exists on CHGAUD).  You have a choice of *ALL, *CHANGE, or *USRPRF.

  **   *ALL means any read or change activity.

  **   CHANGE  means  either  the  data  was  changed  or  one  of  the
       attributes of the object was changed.

  **   *USRPRF is described later.

Note  that using  CHGOBJAUD by  itself may  not cause a  journal entry.
There are a  set of complex  rules, but typical  auditing of an  object
requires the system value QAUDCTL to be set for *OBJAUD.

If you  want to  log any read  or change activity  to the  PAYROLL file
regardless of the user, you would specify:


If you want to log just the change activity, you would specify:


CHGOBJAUD  will allow you to  set or reset the  auditing value for one,
generic, or all objects in a library, by library list, etc.

The other OBJAUD option  is *USRPRF and  works in conjunction with  the
CHGUSRAUD command.   The *USRPRF option  requests to log  activity only
when  a  user  profile  that has  been  set  by  the CHGUSRAUD  command
performs an action.   CHGUSRAUD also provides  for an OBJAUD  parameter
that determines the type of activity that will cause logging.

For example,  if you want to  log any change  activity by USER1  to the
PAYROLL file, you would specify:


Note  that  you  cannot cause  different  logging  for  a user  profile
depending  on the object.   It must  be either *CHANGE  or *ALL for all
objects that specify OBJAUD(*USRPRF).

The  other  use  of  CHGUSRAUD  is  to  log  specified  actions  for  a
particular user.   For example, if you want to log  all commands run by
the QSECOFR profile, you would enter:


Specifying  *CMD will log not only  the commands entered interactively,
but also those  in any CL  programs.  It  can cause  a lot of  logging.
See  the later  discussion of  'Auditing  *ALLOBJ users'  for some  TAA
command help'.

If  you review  the help text  for the  AUDLVL parameter, you  will see
many of the  same options  that are  available for  the QAUDLVL  system
value.  If  you had already specified  an option such as  *SECURITY for
the QAUDLVL  system value, you don't need to  specify it with CHGUSRAUD
for a specific user.

CHGUSRAUD  will allow  you to  set the auditing  value for  one or more

Another method of causing auditing  of objects is to use  the CRTOBJAUD
parameter   on  CRTLIB   or  CHGLIB.     The   companion   commands  of
CRTDIR/MKDIR  can be  used in a  similar manner  to set  auditing for a
directory.  You  can request  the same  values for an  object of  *ALL,
*CHANGE, or *USRPRF.   Once you make a change,  any new objects created
in  the library  (or directory)  will  automatically have  their OBJAUD
value set as per the library level value.

The default  on  CRTLIB/CRTDIR/MKDIR  for the  CRTOBJAUD  parameter  is
*SYSVAL which  refers  to the  system value  QCRTOBJAUD.   This can  be
used to set the value for all new libraries.

The  important thing  to note is  that setting  the library  level does
not affect existing objects.

You  can determine  the object  auditing value  for an object  by using
DSPOBJD.  Display the full attributes and use rollup.

You can  determine the  auditing information  for a  user profile  with
DSPUSRPRF and several rollup requests.

IFS Objects

IFS objects  (or library objects) can  be set to start  auditing by use
of  the CHGAUD command  as described previously.   The  audit value may
be seen by using  WRKLNK and Option 8.   RTVIFSED2 retrieves the  value
and DSPIFSED  also displays  the value.   A  special command  DSPIFSAUD
may be used.  CVTIFS also has the value in the IFAUDT field.

Audit Entries

Any  logging that occurs creates  a journal entry.   The system command
that displays the journal entries is DSPJRN:

          DSPJRN       JRN(QAUDJRN)

*                                                                    *
*                     Display Journal Entries                        *
*                                                                    *
*  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
*  Largest sequence number on this screen  . . . . . . : 00000000006 *
*  Type options, press Enter.                                        *
*    5=Display entire entry                                          *
*                                                                    *
*  Opt    Sequence  Code  Type  Object      Library     Job          *
*   _            1   J     PR                           SCPF         *
*   _            2   T     AF                           QYPSJSVR     *
*   _            3   T     AF                           QYPSJSVR     *
*   _            4   T     ZC                           DSP01        *
*   _            5   T     ZC                           DSP01        *
*   _            6   T     ZC                           DSP01        *
*                                                                    *
*  F3=Exit   F12=Cancel                                              *
*                                                                    *

DSPJRN is a complex command with  lots of options and can be  difficult
to work with.  The  basic use of the command just  displays the entries
as they exist in the current journal receiver.

Each journal  entry is assigned  a 'code', a  'type', and a  'sub type'
based  on the condition.  A code of 'J'  means it is an entry caused by
an operation on a journal or journal receiver.

The typical code  that you will want  to look at  is the 'T' value  for
auditing  entries.   A type  of 'AF'  indicates an  'authority failure'
such as  where a user has attempted to  display a secure library.  Type
ZC indicates an object change.

Option 5 from  the DSPJRN  display will  let you see  the entire  entry
which is a string of data.  This can be difficult to interpret.

*                                                                    *
*                     Display Journal Entry                          *
*                                                                    *
*  Object . . . . . . . :                   Library  . . . . . . :   *
*  Member . . . . . . . :                                            *
*  Incomplete data  . . :   No              Minimized entry data :   *
*  Sequence . . . . . . :   5                                        *
*  Code . . . . . . . . :   T  - Audit trail entry                   *
*  Type . . . . . . . . :   ZC - Object change access                *
*                                                                    *
*              Entry specific data                                   *
*  Column      *...+....1....+....2....+....3....+....4....+....5    *
*  00001      'CAUDLOGP   AUDLOG    *FILE      AUDLOGP           '   *
*  00051      '                                                  '   *
*  00101      '                                                  '   *
*  00151      '                                                  '   *
*  00201      '                                                  '   *
*  00251      '                                                  '   *
*  00301      '                                                  '   *
*                                                                    *
*  Press Enter to continue.                                          *
*                                                                    *
*  F3=Exit   F6=Display only entry specific data                     *
*  F10=Display only entry details   F12=Cancel   F24=More keys       *
*                                                                    *

An option (F10)  from the detail display  will let you see  the details
of the job that caused the entry.

*                                                                    *
*                          Display Journal Entry Details             *
*                                                                    *
*  Journal  . . . . . . :   QAUDJRN         Library  . . . . . . :   *
*                                                                    *
*  Sequence . . . . . . :   5                                        *
*  Code . . . . . . . . :   T  - Audit trail entry                   *
*  Type . . . . . . . . :   ZC - Object change access                *
*                                                                    *
*  Object . . . . . . . :                                            *
*    Type . . . . . . . :                                            *
*  Date . . . . . . . . :   12/17/09                                 *
*  Time . . . . . . . . :   14:56:57                                 *
*  Flag . . . . . . . . :   0                                        *
*  Count/RRN  . . . . . :   0                                        *
*  Commit cycle ID  . . :   0                                        *
*  Nested commit level  :   0                                        *
*  Job  . . . . . . . . :   001338/QPGMR/DSP01                       *
*  User profile . . . . :   QPGMR                                    *
*  Ignore APY/RMV . . . :   No                                       *
*  Ref constraint . . . :   No                                       *
*                                                                    *
*  F3=Exit   F10=Display entry   F12=Cancel   F14=Display previous e *
*  F15=Display only entry specific data                              *
*                                                                    *

The  system supports  a command  to copy  the audit  entries to  a data
base file:

              CPYAUDJRNE  (added in V5R4)

By default, the  journal code T  and entry type AF  entries are  copied
to the QAUDITAF  file in QTEMP.  The  file may then be queried  such as
with the RUNQRY command:


There  is also  a command  that will  display  the entries,  but should
only be used for simple requirements.


This would display the authority failures.

CPYAUDJRNE  may  also be  used to  help  review different  detail audit
entries.  See the later section on 'Example of CPYAUDJRNE'.

Other comments

An important  aspect about the  Audit Journal (or  any *JRN object)  is
that  it is  a very  secure object.   You  cannot change  or  delete an

But  you do have  to manage the  journal receivers.  You  can save them
to offline storage before  deleting them if there  is a requirement  to
be able to review past history.

You  can  write your  own  entries  to  the  journal with  the  SNDJRNE

                       TAA Support

Audit Log

Because  the DSPJRN  and DSPAUDJRNE commands  are not  necessarily easy
to work with, TAA  provides the AUDLOG tool  to assist.  This  requires
that the  journal entries be  converted to data  base files where  they
can be manipulated more easily.

You begin by creating the AUDLOG data base files such as:

              CRTAUDLOG   AUDLOGLIB(xxx) ENTDTALEN(200)

Any  library  may be  used.    The AUDLOGP  physical  file and  several
logical  files will be created.   The ENTDTALEN parameter describes the
length of  the field  for the entry  data.   You may  describe a  field
length of 102 to  1000.  This is a fixed length  field.  The longer the
field,  the larger  the required  space for each  entry in  the AUDLOGP
file.  The minimum of  102 will not let you  see all of the entry  data
for some journal entries (the remainder would be truncated).

It is  possible to start with  an entry of  200 and change to  a longer
or  shorter  length.    You  would  have  to  use  DLTAUDLOG  and  then

To get the  journal entries  out of the  QAUDJRN journal  and into  the
TAA files,  you  must perform  a conversion.   This  can be  done on  a
periodic basis or when you need to such as:


The  command is  smart enough to  know what  entries have  already been
converted  so  it will  just convert  the new  ones.   There is  also a
separate tool CVTAUDLOG3 which  will allow a conversion as  the entries
occur.    This requires  more  overhead,  but  allows DSPAUDLOG  to  be
usable  without a  prior conversion  step.   CVTAUDLOG3 also  allows an
option that  will  send a  message if  a  specific journal  entry  type

Once  the  entries  are  converted,  you  can  display  them  with  the
DSPAUDLOG command:


*                                                                    *
*                          Audit Log                                 *
*                                                              12/17 *
*  Pos to System:   TAASYS13    Date - YYMMDD:  091217    Time  0000 *
*                                                                    *
*  Type options, press Enter.                        AUDLOGP library *
*     5=Display abbreviated entry    7=Display full entry            *
*                                                                    *
*  Opt  System       Date       Time   Cde  Ent  Sub  User           *
*   _   TAASYS13  12/17/09    0:04:17   J   IN        *NONE          *
*   _   TAASYS13  12/17/09    0:05:21   J   NR        QSYS           *
*   _   TAASYS13  12/17/09    0:05:21   J   PR        QSYS           *
*   _   TAASYS13  12/17/09    0:07:51   T   AF    A   QYPSJSVR       *
*   _   TAASYS13  12/17/09    0:08:04   T   AF    A   QYPSJSVR       *
*   _   TAASYS13  12/17/09    9:57:16   T   ZC    C   QPGMR          *
*   _   TAASYS13  12/17/09    9:57:17   T   ZC    C   QPGMR          *
*                                                                    *
*  F3=Exit    F6=PRTAUDLOG    F9=Change -Pos To- order    F12=Cancel *
*  F17=Code descriptions                                             *
*                                                                    *

DSPAUDLOG  provides a  subfile  display of  the entries.    The default
display occurs in 'date' order.

You can use F9 to change the order to display by job, or user, etc.

After entering F9, you would see the following:

*                                                                    *
*                  Audit Log - Change -Position To Order             *
*                                                                    *
*  The access path in use is in order by *DATE                       *
*                                                                    *
*  New order   ________                                              *
*                                                                    *
*  Description                                                       *
*                                                                    *
*     *DATE        By System, Date, Time                             *
*     *CODE        By System, Code, Entry Type, Date, Time           *
*     *USER        By System, User, Date, Time                       *
*     *JOB         By System, Job, Date, Time                        *
*     *CODESUB     By System, Code, Entry Type, Sub Type, Date, Time *
*                                                                    *
*  F12=Cancel                                                        *
*                                                                    *

You can use  the input  fields at  the top  of the  subfile display  to
position to an entry.

Option 5  from  the subfile  display lets  you  see the  details of  an
entry.   This is a simpler  display to review than  the DSPJRN version,
but the entry data can still be confusing.

*                                                                    *
*                Audit Log - Detail Record Display                   *
*                                                           12/17/09 *
*  Entry date and time . . :   12/17/09  at  9:57:16                 *
*  Journal code  . . . . . :   T  =  Audit                           *
*  Entry type  . . . . . . :   ZC       Sub entry type = C           *
*  Entry type/subtype text :   Change of an object                   *
*  User  . . . . . . . . . :   QPGMR                                 *
*  Qualified job name  . . :   DSP01        QPGMR        001316      *
*  System name . . . . . . :   TAASYS13                              *
*  Journal sequence number :            4                            *
*  Program causing entry . :   TAASEDSR2                             *
*  Object/Library/Member . :                                         *
*  Data length . . . . . . :      689                                *
*  Entry data  . . . . . . :   CAUDLOGP   AUDLIB    *FILE      AUDLO *
*                                                                    *
*  F3=Exit     F6=DSPDBFDTA     F12=Cancel      Press Enter to conti *
*                                                                    *

Each  journal entry code and  type supported by the  system has a model
data base  file  in QSYS.    The  F6 option  takes  the data  from  the
journal entry  and maps it onto  the model file  definition provided by
the  system.   This is not  a perfect  solution, but  does help explain
the entry.

After using F6, you would see:

*                                                                    *
*               TAA Display DBF Data       File:  QSYS/QASYZCJ4      *
*    Text:  Outfile for journal entry type ZC             12/17/09   *
*  Type options, press Enter.        Format:   QASYZCJ4    Record im *
*     5=Display                                                      *
*          C - Change of an object                                   *
*  Opt  Field text description                     Value             *
*       Name of object                             AUDLOGP           *
*       Library name                               AUDLIB            *
*       Object type                                *FILE             *
*       Type of access                             30                *
*       Object data                                AUDLOGP           *
*       Not used                                                     *
*       Object name length                         0                 *
*       Object name CCSID                          0                 *
*       Object name region ID                                        *
*       Object name language ID                                      *
*       Not used                                                     *
*       Parent directory file ID                                     *
*       Object file ID                                               *
*       Object name                                                  *
*                                                                    *
*  F3=Exit    F12=Cancel                                             *
*                                                                    *

There is also  a PRTAUDLOG command  which can be  used to list  entries
such as:

         PRTAUDLOG    JRNCDE((T AF))

An alternative  to DSPAUDLOG  and PRTAUDLOG  is the  SCNAUDLOG command.
SCNAUDLOG  allows normal  type  of selection  for such  fields  as job,
date, time,  user,  etc, but  also  allows a  scan  of the  entry  data

Most of  the 'T' audit  entries do not  update the object  data portion
of  a journal  entry.   Instead, the  object name  is within  the entry
data.   Consequently, you  cannot use DSPJRN,  CPYAUDJRNE, or DSPAUDLOG
to find the entries that  were caused by use or change of  a particular
object.   If you  were auditing  any changes to  the PAYROLL  file, you
could enter:


and  see all the  entries that had  the value PAYROLL  within the entry
data.  By default, a display  appears that is similar to the  DSPAUDLOG
display.  A print option also exists.

While the AUDLOG tool  makes it easier to work  with the audit entries,
it is  not as safe as  the journal.  Because data  base files are used,
it is possible to change an  entry.  You should minimize this  exposure
by limiting the number of users who can change the file.

You can also log any changes to the AUDLOGP file by specifying:


When CHGOBJAUD is  used, an entry is created  with a code of 'T'  and a
type of  'AD'.  When CVTAUDLOG is  run, there will be an  entry of code
'T'  with a type  of 'ZC'.  If  you display the  details of this entry,
it will tell  you the  program TAASEDSR2 in  TAATOOL (the program  used
by CVTAUDLOG) made the change.

You could use SCNAUDLOG to find the entries such as:


This  may  help  convince  an  auditor  that  the  AUDLOGP  is  a  true
representation of the QAUDJRN journal.

To delete old audit log entries that are no longer needed, use:

         MTNAUDLOG   RTNDAYS(30)

This will delete any entries that are older than 30 days.

Getting ready for an audit

No  two auditors will  want the  same information to  perform an audit.
Either you or they  will need standard  system or TAA functions  and/or
the need to write specific programs or queries.

A  good  tool  for  you  to consider  before  the  auditor  arrives  is
PRTSECAUD.   It  will print  a variety of  things you  should consider.
Be sure you understand the option CHKSAMPWD (Check same password).

Other good tools are:

  **   AUDLOG -  Allows a  simpler approach  to working  with  auditing

  **   SCNAUDLOG  - Provides  a  scan  of the  entry  data which  is  a
       significant help when dealing with auditing entries.

  **   DSPSECRVW -  Allows you to  play with the user  profiles such as
       selecting all those with special authorities.

  **   DSPOBJAUD  - Describes  the object  auditing for  objects set by
       CHGOBJAUD or the CRTOBJAUD function of CRT/CHGLIB.

  **   DSPUSRAUD -  Describes  the auditing  of  user profiles  set  by

  **   CAPSECINF -  Captures the major  security values and  allows you
       to compare against a prior version.

  **   CHGUSRAUD2  - Similar to CHGUSRAUD, but  prompts for the current
       values which makes it easier to make a change.

  **   DSPAUDRCD - Displays the last  audit entry for a specific  user.

For a review  of all of the  audit tools in the  TAA Productivity Tools
product, do


For  a review  of all  of the  security tools  in the  TAA Productivity
Tools product, do


For a review  of all of  the journaling tools  in the TAA  Productivity
Tools product, do



In some cases you may  want a listing of a specific  set of information
from designated Audit entry types.

The records  stored in the  TAA Audit Log  file are effective  when you
want  basic information.   If  you are  looking for some  very specific
data and  want  comparisons of  previous activity,  there  is a  better
solution with the system command CPYAUDJRNE.

CPYAUDJRNE runs  against the QAUDJRN  journal which means that  you may
have  to keep the audit journal  online for the period  of time you are
interested in reviewing.

As an  example of how  to understand  and use  CPYAUDJRNE, assume  that
you want to know when users were enabled or disabled.

The first  step is to cause  auditing for this function  (the following
assumes you have set QAUDLVL to *AUDLVL2):

             WRKSYSVAL    QAUDLVL2

Add an  entry for *SECCFG if it is not  already there.  This will cause
audit entries for any changes to user  profiles as well as a few  other

To  ensure that  you  have  some audit  entries  to review,  issue  the
following for some test user profile:

             CHGUSRPRF    USRPRF(xxx) PTYLMT(9)

You can  display the Audit  Journal to see  the entries (use  a current
date and a time when you started CHGUSRPRF).

             DSPJRN       JRN(QAUDIT) FROMTIME(date time)

You should see the audit entries for:

             Journal code   T
             Entry type     CP

If  you use Option 5  to display the details, you  should see the entry
specific data with the  changes you made.   The data is just  a string.
It  is intended to  be mapped  onto a  a model  file that  contains the
fields  for the  CP  Entry Type  (Each Entry  Type  has a  unique model

If you are using  the TAA AUDLOG tool, the  detail display of an  entry
allows the  use of F6  to display the  data.   This is effective  for a
single audit  entry, but not if you want  to review several entries (if
you want to see the entries you  previously made, you will need to  use
CVTAUDLOG  to convert  the journal  into  the data  base  file used  by

To see the format without the AUDLOG tool, use the TAA Tool:


Position to  the T Journal Code and  rollup to the CP entry.   Then use
Option 7 to display the 'T format'.

At  the  top  of  the display,  you  can  see the  model  file  name is
QASYCPJn and the  format name is  the same.  (For  the CD entries,  the
model file  is QASYCDJn).   You can  roll thru the  fields to  see that
the  CPSTAT   field  will  contain  the  status  information  that  was

CPYAUDJRNE will create a file using this format.

You begin by using the command  for a specific Journal Entry type  (the
sub type  is not used  and only  Audit entries -  Journal Code =  T are
converted by CPYAUDJRNE).


Using  *CURCHAIN is  important  the first  time you  make  a conversion
because this  will search  all receivers  in  the chain.   If  you  are
going  to periodically  add  to the  file,  you will  want  to use  the
FROMTIME parameter for subsequent uses.

Note that  CPYAUDJRNE supports the ability  to add to a  file using the
OUTMBR  option.  If you are  going to analyze the  data, you have to be
careful  you don't  copy  entries  that  have already  been  copied  or
replace those  that you  want to retain.   It may  be desirable  to use
CPYF after CPYAUDJRNE to a more permanent file for review purposes.

CPYAUDJRNE  appends the  type to  the file  name.   Thus the  file name
that is created is QAUDITCP.   (the file name for the CD entries  would

You can display the data with the TAA command:

             PRTDB    FILE(xxx/QAUDITCP)

A sub file  will be displayed of the  fields in the format and  you can
place an X in those you are interested in such as:

             CPTSTP     Timestamp of entry
             CPUSER     User profile that made the change
             CPONAM     User profile that was changed
             CPPTYL     Priority limit
             CPSTAT     Status

Press  Enter and the  selected fields move  to the top  of the display.
The 'Sel' field  allows you to  change the order,  but assume you  want
the  same order  to  be  listed  as it  appears  in  the subfile.    By
default, the  field names are used for the  column headings.  An option
exists to use the DDS column headings instead.

Note  that if you are  only interested in the  changes to the status of
the profile, the change to  the PTYLMT function will also appear.   The
CP  entry  will  also  have  changes for  new,  deleted,  and  restored

Any  Query can be  used to process  the QAUDITCP file.   You may prefer
to do a select/sort by prompting for the TAA command:


Enter the From file and a To  file to write the records to.  To  select
the CPSTAT field not equal to blanks, enter

             SELFLD((CPSTAT *NE *BLANKS)

and then a keyfield such as the user profile that was changed:


The final command would thus look like:

                        SELFLD((CPSTAT *NE *BLANKS)

The output file will have the selected sorted data.

You may  use PRTDB again  for the  listing or you  may need to  write a
special program against the new file.

Auditing *ALLOBJ users

One  of the concerns of  any system is  that there must  be some number
of users who  have *ALLOBJ special  authority.  You  cannot prevent  an
*ALLOBJ user  from  doing anything  on the  system, but  you can  audit
what they have done.

Of specific  interest may be  a question like 'What  commands have they

The  system supports the  AUDLVL(*CMD) option to  provide audit records
for commands  entered by  a  user.   Any commands  run by  sub-programs
also generate audit  records.  If *ALLOBJ users perform  a lot of work,
this can generate a large number of audit records.

The  TAA DSPAUDCMD function can assist  you in reviewing these records.
It allows options  to bypass the commands  entered in sub-programs  and
to review by a time period, by job, or by program.

If *ALLOBJ users  are frequently signed on  and perform a lot  of work,
the   number  of  audit   records  produced  may   be  beyond  anyone's
capability to review.  A periodic  audit that is unannounced may be  an
effective method of checking.

Added to TAA Productivity tools March 21, 2008

Home Page Up to Top