Change Security Auditing (CHGSECAUD)

The Change Security Auditing (CHGSECAUD) command allows you to change the current settings for the system values that control what is being audited on the system. If the security audit journal, QAUDJRN, does not exist when the command is issued, the security journal and its initial journal receiver are created by this command.

Restriction: You must have *ALLOBJ and *AUDIT special authorities to use this command.

Parameters

Keyword Description Choices Notes
QAUDCTL QAUDCTL system value Single values: *SAME, *ALL, *NONE
Other values (up to 3 repetitions): *OBJAUD, *AUDLVL, *NOQTEMP		 Optional
QAUDLVL Auditing values Start of changeSingle values: *SAME, *ALL, *DFTSET, *NONE
Other values (up to 115 repetitions): *ATNEVT, *AUTFAIL, *CREATE, *DELETE, *JOBBAS, *JOBCHGUSR, *JOBDTA, *NETBAS, *NETCLU, *NETCMN, *NETFAIL, *NETSCK, *NETSECURE, *NETTELSVR, *NETUDP, *OBJMGT, *OFCSRV, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *PTFOBJ, *PTFOPR, *SAVRST, *SECCFG, *SECDIRSRV, *SECIPC, *SECNAS, *SECRUN, *SECSCKD, *SECURITY, *SECVFY, *SECVLDL, *SERVICE, *SPLFDTA, *SYSMGTEnd of change		 Optional
INLJRNRCV Initial journal receiver Qualified object name Optional
Qualifier 1: Initial journal receiver Name, AUDRCV0001
Qualifier 2: Library Name, QGPL, *CURLIB

QAUDCTL system value (QAUDCTL)

The setting for the system value QAUDCTL.

Single values

*SAME
The QAUDCTL system value does not change.
*ALL
The QAUDCTL system value is given the value of *AUDLVL, *OBJAUD, and *NOQTEMP.

Other values (up to 3 repetitions)

*NOTAVL
The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
*NONE
No security auditing is done on the system. This is the shipped value.
*OBJAUD
Actions against objects that have an object audit value other than *NONE will be audited. An object's audit value is set through the Change Audit (CHGAUD) command or the Change Object Audit (CHGOBJAUD) command.
*AUDLVL
The actions specified in the QAUDLVL and QAUDLVL2 system values will be logged to the security journal. Also actions specified by a user profile's action auditing values will be audited. A user profile's action auditing values are set through the AUDLVL parameter on the Change User Audit (CHGUSRAUD) command.
*NOQTEMP
No auditing of most objects in QTEMP is done. You must specify *NOQTEMP with either *OBJAUD or *AUDLVL. You can not specify *NOQTEMP by itself.

Note:

Auditing values (QAUDLVL)

The settings used for the system values QAUDLVL and QAUDLVL2.

If 16 values or less are specified, then these values will be set in system value QAUDLVL.

If more than 16 values are specified, then 15 of the specified values are set in system value QAUDLVL along with the value *AUDLVL2. The remaining values are set in system value QAUDLVL2.

Single values

*SAME
The system values do not change.
*ALL
All values are selected (except the values that are automatically included. Example - *SECURITY includes *SECCFG so *SECCFG is not added to the system value).
*DFTSET
The system value is given the value of *AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST.
*NONE
No security action auditing will occur on the system. This is the shipped value.

Other values (up to 115 repetitions)

*ATNEVT
Attention events are audited. Attention events are conditions that require further evaluation to determine the condition's security significance. The following is an example:
  • Intrusion monitor events need to be examined to determine whether the condition is an intrusion or a false positive
*AUTFAIL
Authorization failures are audited. The following are some examples:
  • All access failures (sign-on, authorization, job submission)
  • Incorrect password or user ID entered from a device
*CREATE
All object creations are audited. Objects created into library QTEMP are not audited. The following are some examples:
  • Newly-created objects
  • Objects created to replace an existing object
*DELETE
All deletions of external objects on the system are audited. Objects deleted from library QTEMP are not audited.
*JOBBAS
Job base functions are audited. The following are some examples:
  • Job start and stop data
  • Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
*JOBCHGUSR
Changes to a thread's active user profile or its group profiles are audited.
*JOBDTA
Actions that affect a job are audited. The following are some examples:
  • Job start and stop data
  • Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
  • Changing a thread's active user profile or group profiles

Note: *JOBDTA is composed of two values to allow you to better customize your auditing. If you specify both of the values, you will get the same auditing as if you specified *JOBDTA. The following values make up *JOBDTA.

  • *JOBBAS
  • *JOBCHGUSR
*NETBAS
Network base functions are audited. The following are some examples:
  • IP rules actions
  • Sockets connections
  • APPN Directory search filter
  • APPN end point filter
*NETCLU
Cluster or cluster resource group operations are audited. The following are some examples:
  • Add, create, and delete
  • Distribution
  • End
  • Fail over
  • List information
  • Removal
  • Start
  • Switch
  • Update attributes
*NETCMN
Networking and communications functions are audited. The following are some examples:
    Start of change
  • All Network base functions from *NETBASEnd of change
    • Start of change
  • All Cluster or cluster resource group operations from *NETCLUEnd of change
    • Start of change
  • All Network failures from *NETFAILEnd of change
    • Start of change
  • The Mail and DHCP functions from *NETSCKEnd of change
*NETFAIL
Start of change
Network failures are audited. The following is an example:End of change
  • Socket port not available
*NETSCK
Sockets tasks are audited. The following are some examples:
  • Accept
  • Connect
  • DHCP address assigned
  • DHCP address not assigned
  • Filtered mail
  • Reject mail Start of change

Note:

  • Telnet server connections are not audited as part of *NETSCK. Use *NETTELSVR along with *NETSCK if Telnet server connections should be audited.
  • To audit all TCP and UDP connections in and out of the system specify *NETSCK, *NETUDP, and *NETTELSVR.
*NETSECURE
Secure network connections are audited. The following are some examples:
  • Successful secure network connection
  • Failed system SSL connection

When *NETTELSVR is also specified, the following are additional examples:

  • Telnet Server successful secure network connection
  • Telnet Server failed system SSL connection

Note: This implies traffic flowing over the connection is now protected by a security protocol known to the system. The system explicitly audits System SSL and IPsec from operating system code responsible for creating the secure connection. The system implicitly audits some non-operating system implemented security protocols by inspecting application layer data as it flows through the Sockets APIs.

*NETTELSVR
Telnet Server connections are audited. The following is an example:
  • Accept

When *NETSECURE is also specified, the following are additional examples:

  • Telnet Server successful secure network connection
  • Telnet Server failed system SSL connection

Note:

  • Telnet clients can be configured to retry the connection attempt after an attempt to establish a session is unsuccessful. These Telnet clients will retry indefinitely until the conditions causing the session to fail are eliminated. This can generate a large number of Telnet server audit journal entries.
  • To audit all TCP and UDP connections in and out of the system, specify *NETSCK, *NETUDP, and *NETTELSVR.
*NETUDP
User Datagram Protocol (UDP) traffic is audited. The following are some examples:
  • UDP packets sent
  • UDP packets received

Note:

  • UDP traffic for the same local and remote address and port is audited only once every 12 hours by default. See the Security Reference, SC41-5302 publication.
  • To audit all TCP and UDP connections in and out of the system, specify *NETSCK, *NETUDP, and *NETTELSVR.End of change
*NOTAVL
The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
*OBJMGT
Generic object tasks are audited. The following are some examples:
  • Moves of objects
  • Renames of objects
*OFCSRV
OfficeVision are audited. The following are some examples:
  • Changes to the system distribution directory
  • Tasks involving electronic mail
*OPTICAL
All optical functions are audited. The following are some examples:
  • Add or remove optical cartridge
  • Change the authorization list used to secure an optical volume
  • Open optical file or directory
  • Create or delete optical directory
  • Change or retrieve optical directory attributes
  • Copy, move, or rename optical file
  • Copy optical directory
  • Back up optical volume
  • Initialize or rename optical volume
  • Convert backup optical volume to a primary volume
  • Save or release held optical file
  • Absolute read of an optical volume
*PGMADP
Adopting authority from a program owner is audited.
*PGMFAIL
Program failures are audited. The following are some examples:
  • Blocked instruction
  • Validation value failure
  • Domain violation
*PRTDTA
Printing functions are audited. The following are some examples:
  • Printing a spooled file
  • Printing with parameter SPOOL(*NO)
*PTFOBJ
Changes to Program Temporary Fix (PTF) objects are audited. The following are some examples:
  • Library objects such as *PGM and *SRVPGM objects.
  • Replaceable Unit (RU) objects for LIC PTFs.
  • Integrated File System (IFS) objects.
*PTFOPR
Program Temporary Fix (PTF) operations are audited. The following are some examples:
  • Load, apply, or remove a PTF.
  • Log or delete a PTF save file.
  • Install PTFs using GO PTF or INSPTF command.
*SAVRST
Save and restore information is audited. The following are some examples:
  • When programs that adopt their owner's user profile are restored
  • When job descriptions that contain user names are restored
  • When ownership and authority information changes for objects that are restored
  • When the authority for user profiles is restored
  • When a system state program is restored
  • When a system command is restored
  • When an object is restored
*SECCFG
Security configuration is audited. The following are some examples:
  • Create, change, delete, and restore operations of user profiles
  • Changes to programs (CHGPGM) that will now adopt the owner's profile
  • Changes to system values, environment variables and network attributes
  • Changes to subsystem routing
  • When the QSECOFR password is reset to the shipped value from DST
  • When the password for the service tools security officer user ID is requested to be defaulted.
  • Changes to the auditing attribute of an object
*SECDIRSRV
Changes or updates when doing directory service functions are audited. The following are some examples:
  • Audit change
  • Successful bind
  • Authority change
  • Password change
  • Ownership change
  • Successful unbind
*SECIPC
Changes to interprocess communications are audited. The following are some examples:
  • Ownership or authority of an IPC object changed
  • Create, delete or get of an IPC object
  • Shared memory attach
*SECNAS
Network authentication service actions are audited. The following are some examples:
  • Service ticket valid
  • Service principals do not match
  • Client principals do not match
  • Ticket IP address mismatch
  • Decryption of the ticket failed
  • Decryption of the authenticator failed
  • Realm is not within client and local realms
  • Ticket is a replay attempt
  • Ticket not yet valid
  • Remote or local IP address mismatch
  • Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
  • KRB_AP_PRIV or KRB_AP_SAFE - timestamp error, replay error, sequence order error
  • GSS accept - expired credentials, checksum error, channel bindings
  • GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, sequence error
*SECRUN
Security run time functions are audited. The following are some examples:
  • Changes to object ownership
  • Changes to authorization list or object authority
  • Changes to the primary group of an object
*SECSCKD
Socket descriptors are audited. The following are some examples:
  • A socket descriptor was given to another job
  • Receive descriptor
  • Unable to use descriptor
*SECURITY
All security-related functions are audited.
  • Security configuration (See *SECCFG)
  • Changes or updates when doing directory service functions (See *SECDIRSRV)
  • Changes to interprocess communications (See *SECIPC)
  • Network authentication service actions (See *SECNAS)
  • Security run time functions (See *SECRUN)
  • Socket descriptor (See *SECSCKD)
  • Use of verification functions (See *SECVFY)
  • Changes to validation list objects (See *SECVLDL)

Note: *SECURITY is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *SECURITY. The following values make up *SECURITY.

  • *SECCFG
  • *SECDIRSRV
  • *SECIPC
  • *SECNAS
  • *SECRUN
  • *SECSCKD
  • *SECVFY
  • *SECVLDL
*SECVFY
Use of verification functions are audited. The following are some examples:
  • A target user profile was changed during a pass-through session
  • A profile handle was generated
  • All profile tokens were invalidated
  • Maximum number of profile tokens has been generated
  • A profile token has been generated
  • All profile tokens for a user have been removed
  • User profile authenticated
  • An office user started or ended work on behalf of another user
*SECVLDL
Changes to validation list objects are audited. The following are some examples:
  • Add, change, remove of a validation list entry
  • Find of a validation list entry
  • Successful and unsuccessful verify of a validation list entry
*SERVICE
For a list of all the service commands and API calls that are audited, see the System i Security Reference, SC41-5302 publication.
*SPLFDTA
Spooled file functions are audited. The following are some examples:
  • Create, delete, display, copy, hold, and release a spooled file
  • Get data from a spooled file (QSPGETSP)
  • Change spooled file attributes (CHGSPLFA command)
*SYSMGT
System management tasks are audited. The following are some examples:
  • Hierarchical file system registration
  • Changes for Operational Assistant functions
  • Changes to the system reply list
  • Changes to the DRDA relational database directory
  • Network file operations

Initial journal receiver (INLJRNRCV)

The journal receiver that is created as the initial journal receiver when the security audit journal, QAUDJRN is created. This parameter is ignored if the security audit journal exists.

Qualifier 1: Initial journal receiver

AUDRCV0001
The default value for the initial journal receiver.
name
The name of the journal receiver being created.

Qualifier 2: Library

QGPL
The default library value for the initial journal receiver.
*CURLIB
The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
name
The library where the journal receiver is to be created.

Examples

Example 1:

CHGSECAUD   QAUDCTL(*AUDLVL)  QAUDLVL(*DFTSET)

This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL system value to the default set of values.

Example 2:

CHGSECAUD   QAUDCTL(*AUDLVL) +
            QAUDLVL(*AUTFAIL *CREATE *DELETE +
                    *JOBDTA  *NETBAS *NETFAIL +
                    *OBJMGT  *OPTICAL *PGMADP +
                    *PGMFAIL *PRTDTA *SAVRST +
                    *SECCFG  *SECDIRSRV *SECRUN +
                    *SERVICE *SPLFDTA *SYSMGT)

This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL and QAUDLVL2 system values to the specified values. QAUDLVL system value will contain *AUDLVL2, *AUTFAIL, *CREATE, *DELETE, *JOBDTA, *NETBAS, *NETFAIL, *OBJMGT, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECRUN. QAUDLVL2 system value will contain *SERVICE, *SPLFDTA, *SYSMGT.

Error messages

*ESCAPE Messages

CPFB304
User does not have required special authorities.