Action auditing

For an individual user, you can specify which security-relevant actions should be recorded in the audit journal. The actions specified for an individual user apply in addition to the actions specified for all users by the QAUDLVL and QAUDLVL2 system values.

Add User prompt:
Not shown
CL parameter:
AUDLVL
Length:
640

Action auditing for a user profile cannot be specified on any user profile displays. It is defined using the CHGUSRAUD command. Only a user with *AUDIT special authority can use the CHGUSRAUD command.

Note: Consider using the CHGUSRAUD command to set action auditing on your security officer and other highly privileged users. Auditing the actions of the security officers and other privileged users is recommended as these users will be authorized to perform many or all system functions. They also have access to highly sensitive data objects on the server.
Table 1. Possible values for AUDLVL:
*NONE The QAUDLVL system value controls action auditing for this user. No additional auditing is done.
*NOTAVL This value is displayed to indicate that the parameter value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The parameter value cannot be set to this value.
*AUTFAIL Authorization failures are audited.
*CMD Command strings are logged. *CMD can be specified only for individual users. Command string auditing is not available as a system-wide option using the QAUDLVL system value.
*CREATE Object create operations are logged.
*DELETE Object delete operations are logged.
*JOBBAS Job base functions are audited.
*JOBCHGUSR Changes to a thread's active user profile or its group profiles are audited.
*JOBDTA1 Job changes are logged.
*OBJMGT Object move and rename operations are logged.
*OFCSRV Changes to the system distribution directory and office mail actions are logged.
*NETBAS Network base functions are audited.
*NETCLU Cluster or cluster resource group operations are audited.
*NETCMN 3 Networking and communications functions are audited.
*NETFAIL Network failures are audited.
*NETSCK Sockets tasks are audited.
Start of change*NETSECURE End of change Start of changeSecure network connections are audited.End of change
Start of change*NETUDP End of change Start of changeUser Datagram Protocol (UDP) traffic is audited.End of change
*OPTICAL All optical functions are audited.
*PGMADP Obtaining authority to an object through a program that adopts authority is logged.
*PGMFAIL Program failures are audited.
*PRTDTA Printing functions with parameter SPOOL(*NO) are audited.
*SAVRST Save and restore operations are logged.
*SECCFG Security configuration is audited.
*SECDIRSRV Changes or updates when doing directory service functions are audited.
*SECIPC Changes to interprocess communications are audited.
*SECNAS Network authentication service actions are audited.
*SECRUN Security run time functions are audited.
*SECSCKD Socket descriptors are audited.
*SECURITY2 Security-related functions are logged.
*SECVFY Use of verification functions are audited.
*SECVLDL Changes to validation list objects are audited.
*SERVICE Using service tools is logged.
*SPLFDTA Actions performed on spooled files are logged.
*SYSMGT Use of systems management functions is logged.
1
*JOBDTA includes two values that are *JOBBAS and *JOBCHGUSR, which enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is specified.
2
*SECURITY is composed of several values to enable you to better customize your auditing. If all of the values are specified, you will get the same auditing as if just *SECURITY is specified. These values are as follows.
  • *SECCFG
  • *SECDIRSRV
  • *SECIPC
  • *SECNAS
  • *SECRUN
  • *SECSCKD
  • *SECVFY
  • *SECVLDL
3
*NETCMN is composed of several values to enable you to better customize your auditing. The following values make up *NETCMN:
  • *NETBAS
  • *NETCLU
  • *NETFAIL
  • Start of changeThe Mail and DHCP functions from *NETSCKEnd of change