Question & Answer
Question
How do you Audit the use of Commands.
Answer
By turning on Object Auditing on the Operating System Commands, we can track who is using the commands to perform actions on the system.
Before you start, verify that the QAUDJRN journal exists and that you are tracking of object usage operations.
Use the DSPSECAUD command and make sure the following settings are configured on your system:
Security journal QAUDJRN exists . . . . . : YES
Current QAUDCTL system value . . . . . . : *OBJAUDIf not there, use the CHGSECAUD command to add them to your system.
Step 1.
Turn on object auditing on the command:
CHGOBJAUD OBJ(QSYS/SBMJOB) OBJTYPE(*CMD) OBJAUD(*ALL) Note: For this example, we are turning on auditing on the command SBMJOB, replace the object parameter to turn on object auditing on other commands.
Step 2
Using the SQL DISPLAY_JOURNAL table function you can create a report for command usage operations.
Authorization:
- You must have *USE authority to the journal and to all requested journal receivers.
- *OBJEXIST authority is required to the journal if object-name is omitted or if object-name specifies an object that no longer exists.
- If object-name is *ALL, you must be authorized to every object associated with a journal entry.
Using the RUN SQL Scripts tool, run the following SQL Statement:
select OBJECT as COMMAND,
JOB_NAME,
JOB_USER,
JOB_NUMBER,
ENTRY_TIMESTAMP,
substr(cast(ENTRY_DATA as char(2048)), 31, 6000) as COMMAND_STRING
from table (
QSYS2.DISPLAY_JOURNAL(
JOURNAL_LIBRARY => 'QSYS',
JOURNAL_NAME => 'QAUDJRN',
STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => 'CD', STARTING_TIMESTAMP => '2022-02-16 00:00:01',
ENDING_TIMESTAMP => '2022-02-16 07:36:00')
)
Note 1: Modify the time and date on the SQL to the wanted one.
Note 2: If Hexadecimal data is displayed on the report, you need to change the JDBC connection properties to translate the CCSID to 65535. On the Run SQL tool, select the Connection Menu > JDBC Connection > Edit > Translation and click on Translate CCSID 65535. Save the connection and reconnect to run the SQL.
Step 3:
Use the following command if you only want to display the results for the SBMJOB command.
Using the RUN SQL Scripts tool, run the following SQL Statement:
select OBJECT as COMMAND,
JOB_NAME,
JOB_USER,
JOB_NUMBER,
ENTRY_TIMESTAMP,
substr(cast(ENTRY_DATA as char(2048)), 31, 6000) as COMMAND_STRING
from table (
QSYS2.DISPLAY_JOURNAL(
JOURNAL_LIBRARY => 'QSYS',
JOURNAL_NAME => 'QAUDJRN',
STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => 'CD', STARTING_TIMESTAMP => '2022-02-16 00:00:01',
ENDING_TIMESTAMP => '2022-02-16 07:36:00')
)
WHERE object LIKE '%SBMJOB%'
Note 1: Replace the WHERE clause to specify the command you are auditing.
Note 2: Modify the time and date on the SQL to the wanted one.
Note 3: If Hexadecimal data is displayed on the report, you need to change the JDBC connection properties to translate the CCSID to 65535. On the Run SQL tool, select the Connection Menu > JDBC Connection > Edit > Translation and click on Translate CCSID 65535. Save the connection and reconnect to run the SQL.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS008439691","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"and future releases;7.2.0;7.3.0;7.4.0"}]
Was this topic helpful?
Document Information
Modified date:
02 December 2025
UID
ibm16557014