Action auditing

For an individual user, you can specify which security-relevant actions should be recorded in the audit journal. The actions specified for an individual user apply in addition to the actions specified for all users by the QAUDLVL and QAUDLVL2 system values.

Add User prompt:
Not shown
CL parameter:
AUDLVL
Length:
640

Action auditing for a user profile cannot be specified on any user profile displays. It is defined using the CHGUSRAUD command. Only a user with *AUDIT special authority can use the CHGUSRAUD command.

Table 1. Possible values for AUDLVL:
*NONE The QAUDLVL system value controls action auditing for this user. No additional auditing is done.
*NOTAVL This value is displayed to indicate that the parameter value is not available to the user because the user does not have either *AUDIT or *ALLOBJ special authority. The parameter value cannot be set to this value.
*AUTFAIL Authorization failures are audited.
*CMD Command strings are logged. *CMD can be specified only for individual users. Command string auditing is not available as a system-wide option using the QAUDLVL system value.
*CREATE Object create operations are logged.
*DELETE Object delete operations are logged.
*JOBBAS Job base functions are audited.
*JOBCHGUSR Changes to a thread's active user profile or its group profiles are audited.
*JOBDTA1 Job changes are logged.
*OBJMGT Object move and rename operations are logged.
*OFCSRV Changes to the system distribution directory and office mail actions are logged.
*NETBAS Network base functions are audited.
*NETCLU Cluster or cluster resource group operations are audited.
*NETCMN 3 Networking and communications functions are audited.
*NETFAIL Network failures are audited.
*NETSCK Sockets tasks are audited.
*OPTICAL All optical functions are audited.
*PGMADP Obtaining authority to an object through a program that adopts authority is logged.
*PGMFAIL Program failures are audited.
*PRTDTA Printing functions with parameter SPOOL(*NO) are audited.
*SAVRST Save and restore operations are logged.
*SECCFG Security configuration is audited.
*SECDIRSRV Changes or updates when doing directory service functions are audited.
*SECIPC Changes to interprocess communications are audited.
*SECNAS Network authentication service actions are audited.
*SECRUN Security run time functions are audited.
*SECSCKD Socket descriptors are audited.
*SECURITY2 Security-related functions are logged.
*SECVFY Use of verification functions are audited.
*SECVLDL Changes to validation list objects are audited.
*SERVICE Using service tools is logged.
*SPLFDTA Actions performed on spooled files are logged.
*SYSMGT Use of systems management functions is logged.
1
*JOBDTA includes two values that are *JOBBAS and *JOBCHGUSR, which enable you to better customize your auditing. If both of the values are specified, you will get the same auditing as if just *JOBDTA is specified.
2
*SECURITY is composed of several values to enable you to better customize your auditing. If all of the values are specified, you will get the same auditing as if just *SECURITY is specified. These values are as follows.
  • *SECCFG
  • *SECDIRSRV
  • *SECIPC
  • *SECNAS
  • *SECRUN
  • *SECSCKD
  • *SECVFY
  • *SECVLDL
3
*NETCMN is composed of several values to enable you to better customize your auditing. If all of the values are specified, you will get the same auditing as if just *NETCMN is specified. These values are as follows.
  • *NETBAS
  • *NETCLU
  • *NETFAIL
  • *NETSCK