DSPUSRCMD -- Display User Command

DSPUSRCMD DISPLAY USER COMMANDS TAASEIN
The Display User Commands command displays the audit records for commands run by a user that is specified with CHGUSRAUD AUDLVL(CMD). DSPUSRCMD is intended for use on critical security profiles such as QSECOFR and QSRV to allow a review of the commands that were entered. The Journal Code T (Audit) records with an Entry Type of CD (command was run) are processed using the CPYAUDJRNE outfile. You must have ALLOBJ authority to use DSPUSRCMD. If you have not already setup the QAUDJRN journal, see the tool AUDITING for a discussion. Assume you want to check the commands entered by the QSECOFR user profile. Begin by ensuring the audit level is set correctly. DSPUSRPRF USRPRF(QSECOFR). Roll to the value 'Action auditing values'. It should at least specify 'CMD'. If not, enter the following: CHGUSRAUD USRPRF(QSECOFR) AUDLVL(CMD) After some commands have been entered by QSECOFR, you may review the commands with: DSPUSRCMD USRPRF(QSECOFR) A listing would be displayed of all the commands entered for all existing journal entries in QAUDJRN. The profile QSECOFR is used in several system jobs such as QSRVMON. You can eliminate the commands run in specifically named jobs or using a generic name to eliminate system jobs by entering Q. However, this would not find the commands entered by a user who signed on as QSECOFR and submitted a job name that began with Q. Options also exist to: * Process based on a start date/time and an end date/time. List the commands run in CL programs if called from a command line or run via a command processing program (either by a system or user command). Scan for the use of a command such as CRTUSRPRF whether it is run on a command line or via a CL program. Using a different Security Officer profile ------------------------------------------ Because the system use of QSECOFR complicates the use of reviewing commands, some users may prefer to use a separate profile when acting as the Security Officer. For example, you could create the QSECOFR2 profile and cause auditing with: CRTUSRPRF USRPRF(QSECOFR2) PASSWORD(xxx) USRCLS(SECOFR) TEXT('Second security officer') CHGUSRAUD USRPRF(QSECOFR2) AUDLVL(CMD) This would allow secure commands to be entered using QSECOFR2 and displayed with DSPUSRCMD. You cannot set the QSECOFR password to NONE. However, you could prevent the interactive use of QSECOFR. You should not do this unless you have another profile that can reset the profile if needed. To prevent the use of QSECOFR from signing on, enter: CHGUSRPRF USRPRF(QSECOFR) STATUS(DISABLED) While this will make the use of DSPUSRCMD for a profile such as QSECOFR2 easier to review, it is not a perfect solution to ensure a check of all commands run as a Security Officer. For example, there may be pre-existing programs that adopt the QSECOFR profile, that run various functions. There are several such programs within TAATOOL and the system also uses this technique. While TAATOOL and system functions offer security control of these types of functions, user written programs may not be so secure. In addition, any ALLOBJ user can bypass many of the security checking functions provided by the system. The use of a second Security Officer will not eliminate the need for good system security. DSPUSRCMD escape messages you can monitor for --------------------------------------------- TAA9892 The user profile is not specified to audit commands TAA9893 There were no audit records for the selection criteria TAA9893 is sent either because the use of CPYAUDJRNE found no records (no spooled file will exist) or because the selection processing after the use of CPYAUDJRNE did not find any entries to list (a spooled file will exist). Escape messages from based on functions will be re-sent. DSPUSRCMD Command parameters CMD ----------------------------- USRPRF The user profile to list audit records for. The user must be specified using CHGUSRAUD AUDLVL(CMD) to create audit records for commands entered. FROMDATE The From date and time to select journal entries. Both values default to FIRST for the first audit entry found in QAUDJRN. A specific date (in job format) or the special value TODAY may be entered. A specific time in HHMMSS format may be entered. TODATE The To date and time to select journal entries. Both values default to LAST for the last audit entry found in QAUDJRN. A specific date (in job format) or the special value TODAY may be entered. A specific time in HHMMSS format may be entered. CLPGM A YES/NO value for whether the commands run from a CL program should be listed. The CL program could be called directly or called via a command processing program from a system or user command. NO is the default to not list these commands. YES may be specified to list the commands. Only the object name, type, and library (not the full command that was run) are listed. SCANVAL The value to be scanned for in either the commands that were run from a command line or the object and library names of the commands run in a CL Program (requires CLPGM(YES)). For example, this would allow the scanning for the use of a command such as CRTUSRPRF or the keyword PASSWORD. NONE is the default meaning no scan occurs. A string of up to 20 bytes may be entered. Note that scanning the commands run in a CL program is only effective on the command name and library. Both the SCANVAL and the command are translated to upper case before comparing. BYPJOB A list of up to 300 job names or generic job names that will be bypassed. NONE is the default meaning all jobs are processed. When a user profile such as QSECOFR is used, the system runs several jobs under this profile such as QSRVMON. Bypassing specific jobs names or a generic name such as Q* can reduce the size of the listing, but does not prevent a QSECOFR user from submitting a job name beginning with Q from being bypassed. See the previous discussion about how to use a different profile for entering secure commands. OUTPUT How to output the results. * is the default to display the spooled file if the command is entered interactively. The spooled file is deleted after it is displayed. If the command is entered in batch or PRINT is specified, the spooled file is output and retained. Restrictions ------------ You must have ALLOBJ authority to use DSPUSRCMD. You must have the QAUDJRN operational. The user profile specified, must be set to at least AUDLVL(CMD). Prerequisites ------------- The following TAA Tools must be on your system: CHKALLOBJ Check ALLOBJ special authority CHKGENERC Check generic CVTTIM Convert time EDTVAR Edit variable EXTLST Extract list EXTLST2 Extract list 2 RTVDAT Retrieve date RTVSYSVAL3 Retrieve system value 3 SCNVAR Scan variable SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDSTSMSG Send status message TRNVAL Translate value Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPUSRCMD CMD TAASEIN QATTCMD TAASEINC PGM CLP TAASEINC QATTCL TAASEINR PGM RPGLE TAASEINR QATTRPG TAASEINP FILE PF The TAASEINP file is created by duplicating the QASYCDJ5 model file in QSYS.

DSPUSRCMD       DISPLAY USER COMMANDS                  TAASEIN


The  Display User  Commands  command  displays  the audit  records  for
commands run  by a user that is  specified with CHGUSRAUD AUDLVL(*CMD).
DSPUSRCMD  is intended  for use on  critical security  profiles such as
QSECOFR and QSRV to allow  a review of the commands that  were entered.
The Journal  Code T (Audit) records  with an Entry Type  of CD (command
was run) are processed using the CPYAUDJRNE outfile.

You must have *ALLOBJ authority to use DSPUSRCMD.

If  you  have  not already  setup  the QAUDJRN  journal,  see  the tool
AUDITING for a discussion.

Assume you  want to  check the  commands entered  by  the QSECOFR  user
profile.  Begin by ensuring the audit level is set correctly.

             DSPUSRPRF   USRPRF(QSECOFR).

Roll  to the  value  'Action  auditing values'.    It  should at  least
specify '*CMD'.  If not, enter the following:

             CHGUSRAUD   USRPRF(QSECOFR) AUDLVL(*CMD)

After  some commands have been  entered by QSECOFR, you  may review the
commands with:

             DSPUSRCMD   USRPRF(QSECOFR)

A listing  would be  displayed  of all  the  commands entered  for  all
existing journal entries in QAUDJRN.

The profile  QSECOFR is used  in several system  jobs such as  QSRVMON.
You  can  eliminate the  commands  run in  specifically  named jobs  or
using  a  generic  name  to  eliminate  system  jobs  by  entering  Q*.
However,  this would  not  find the  commands  entered  by a  user  who
signed on as QSECOFR and submitted a job name that began with Q.

Options also exist to:

  **   Process based on a start date/time and an end date/time.

  **   List the  commands run in CL  programs if called from  a command
       line  or  run via  a  command  processing program  (either  by a
       system or user command).

  **   Scan for the use  of a command such  as CRTUSRPRF whether it  is
       run on a command line or via a CL program.

Using a different Security Officer profile
------------------------------------------

Because the  system use  of QSECOFR  complicates the  use of  reviewing
commands, some  users may prefer to use  a separate profile when acting
as the Security Officer.

For example, you could create  the QSECOFR2 profile and cause  auditing
with:

             CRTUSRPRF  USRPRF(QSECOFR2)
                          PASSWORD(xxx)
                          USRCLS(*SECOFR)
                          TEXT('Second security officer')

             CHGUSRAUD   USRPRF(QSECOFR2) AUDLVL(*CMD)

This would  allow  secure commands  to be  entered  using QSECOFR2  and
displayed with DSPUSRCMD.

You  cannot set  the QSECOFR  password to  *NONE.   However,  you could
prevent  the  interactive  use of  QSECOFR.    You should  not  do this
unless you have another profile  that can reset the profile  if needed.
To prevent the use of QSECOFR from signing on, enter:

             CHGUSRPRF   USRPRF(QSECOFR) STATUS(*DISABLED)

While  this will  make  the use  of  DSPUSRCMD for  a  profile such  as
QSECOFR2  easier to review,  it is not  a perfect solution  to ensure a
check of all commands run as a Security Officer.

For  example,  there  may  be  pre-existing  programs  that  adopt  the
QSECOFR profile,  that run various functions.   There are  several such
programs  within  TAATOOL  and the  system  also  uses this  technique.
While TAATOOL  and system  functions offer  security control  of  these
types of functions, user written programs may not be so secure.

In  addition,  any  *ALLOBJ  user  can  bypass  many  of  the  security
checking functions provided by the system.

The use  of a second Security  Officer will not eliminate  the need for
good system security.

DSPUSRCMD escape messages you can monitor for
---------------------------------------------

      TAA9892    The user profile is not specified to audit commands
      TAA9893    There were no audit records for the selection criteria

TAA9893  is sent either because the  use of CPYAUDJRNE found no records
(no  spooled file  will  exist)  or because  the  selection  processing
after  the use  of  CPYAUDJRNE did  not  find any  entries  to list  (a
spooled file will exist).

Escape messages from based on functions will be re-sent.

DSPUSRCMD Command parameters                          *CMD
-----------------------------

   USRPRF        The  user  profile to  list  audit records  for.   The
                 user must  be specified  using CHGUSRAUD  AUDLVL(*CMD)
                 to create audit records for commands entered.

   FROMDATE      The  From date  and time  to  select journal  entries.
                 Both  values  default to  *FIRST for  the  first audit
                 entry found  in  QAUDJRN.   A  specific date  (in  job
                 format) or  the special value  *TODAY may  be entered.
                 A specific time in HHMMSS format may be entered.

   TODATE        The  To  date  and  time  to select  journal  entries.
                 Both  values  default  to  *LAST  for  the  last audit
                 entry found  in  QAUDJRN.   A  specific date  (in  job
                 format) or  the special  value *TODAY may  be entered.
                 A specific time in HHMMSS format may be entered.

   CLPGM         A  *YES/*NO value for whether the  commands run from a
                 CL program should  be listed.   The  CL program  could
                 be   called  directly   or   called   via  a   command
                 processing program from a system or user command.

                 *NO is the default to not list these commands.

                 *YES  may be  specified to  list  the commands.   Only
                 the object  name,  type,  and library  (not  the  full
                 command that was run) are listed.

   SCANVAL       The value  to be  scanned for  in either the  commands
                 that were  run from a  command line or  the object and
                 library  names  of the  commands run  in a  CL Program
                 (requires  CLPGM(*YES)).    For  example,  this  would
                 allow the  scanning for the  use of a command  such as
                 CRTUSRPRF or the keyword PASSWORD.

                 *NONE is the default meaning no scan occurs.

                 A  string of  up  to 20  bytes may  be entered.   Note
                 that scanning  the commands  run in  a  CL program  is
                 only effective on the command name and library.

                 Both the  SCANVAL and  the command  are translated  to
                 upper case before comparing.

   BYPJOB        A  list of up  to 300 job  names or generic  job names
                 that will be bypassed.

                 *NONE is the default  meaning all jobs are  processed.

                 When  a user  profile  such as  QSECOFR  is used,  the
                 system  runs several jobs  under this profile  such as
                 QSRVMON.   Bypassing specific jobs  names or a generic
                 name such as  Q* can reduce  the size of the  listing,
                 but does  not prevent  a QSECOFR user  from submitting
                 a job name beginning with Q from being bypassed.

                 See  the  previous  discussion  about  how  to  use  a
                 different profile for entering secure commands.

   OUTPUT        How to  output  the results.    *  is the  default  to
                 display the  spooled file  if the  command is  entered
                 interactively.   The spooled file  is deleted after it
                 is displayed.

                 If the  command  is  entered in  batch  or  *PRINT  is
                 specified, the  spooled file  is output and  retained.


Restrictions
------------

You must have *ALLOBJ authority to use DSPUSRCMD.

You must have the QAUDJRN operational.

The user profile specified, must be set to at least AUDLVL(*CMD).

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKALLOBJ       Check *ALLOBJ special authority
     CHKGENERC       Check generic
     CVTTIM          Convert time
     EDTVAR          Edit variable
     EXTLST          Extract list
     EXTLST2         Extract list 2
     RTVDAT          Retrieve date
     RTVSYSVAL3      Retrieve system value 3
     SCNVAR          Scan variable
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message
     TRNVAL          Translate value

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPUSRCMD     *CMD                   TAASEIN       QATTCMD
   TAASEINC      *PGM       CLP         TAASEINC      QATTCL
   TAASEINR      *PGM       RPGLE       TAASEINR      QATTRPG
   TAASEINP      *FILE      PF

The  TAASEINP file is  created by  duplicating the QASYCDJ5  model file
in QSYS.

Added to TAA Productivity tools July 15, 2010

Home Page

Up to Top