How To
Summary
To find user or job that changed the entries from TCP/IP domain information
Objective
This document helps to audit the job that changed the TCP/IP domain information (CFGTCP, option 12 Change TCP/IP domain information)
Steps
This document assumes that system security audit is active on the system.
Otherwise, document https://www.ibm.com/support/pages/setting-security-auditing must be followed first.
STEP 1: Start object auditing for file QATOCTCPIP in QUSRSYS:
CHGOBJAUD OBJ(QUSRSYS/QATOCTCPIP) OBJTYPE(*FILE) OBJAUD(*CHANGE)
STEP 2: Once the change happened in TCP/IP Domain Information, you can extract report from audit.
STEP 3: Extracting ZC entries
STEP3a: Issue command,
CPYAUDJRNE ENTTYP(ZC) OUTFILE(QAUDIT) JRNRCV(*CURCHAIN) FROMTIME(MMDDYY) TOTIME(MMDDYY)
... Replace MMDDYY to the date that the change is suspected
... MMDDYY is based on your system value QDATFMT format
STEP 3b: Run query against outfile QAUDITZC in library QTEMP
SELECT ZCTSTP,
ZCJOB,
ZCUSER,
ZCNBR,
ZCPGM,
ZCPGMLIB,
ZCRADR,
ZCETYP,
ZCONAM,
ZCOLIB,
ZCOTYP,
ZCACTP,
ZCODTA
FROM qtemp.qauditzc
WHERE ZCONAM = 'QATOCTCPIP'
Result would be similar below
The one in red box is the job detail of the job did the changed in TCP/IP Domain Information.
Additional Information
Another way of finding the job did the change to TCP/IP domain information is through command auditing.
Command auditing would be explained on another document.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m3p000000Gnr1AAC","label":"Job and Work Management->System Audit"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
25 January 2022
UID
ibm16550182