Auditing the use of Job Scheduler Commands

Question & Answer

Question

How do you audit the use of the commands that perform Job Scheduler actions on the System.

Answer

By turning on Object Auditing on the Job Scheduler Commands, we can track who is using the commands to perform actions on the system.

Before you start, verify that the QAUDJRN exist and that you are tracking of object usage operations.

Use the DSPSECAUD command and make sure the following settings are configured on your system:

  Security journal QAUDJRN exists . . . . . :   YES    
Current QAUDCTL system value  . . . . . . :  *OBJAUD

If not there, use the CHGSECAUD command to add them to your system.

Step 1.

Turn on object auditing on the commands that are used to perform actions on the Job Scheduler:

  CHGOBJAUD OBJ(ADDJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(CHGJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(HLDJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(RLSJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(RMVJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(WRKJOBSCDE) OBJTYPE(*CMD) OBJAUD(*ALL)

Step 2

Using the SQL DISPLAY_JOURNAL table function you can create a report.

Authorization:

You must have *USE authority to the journal and to all requested journal receivers.
*OBJEXIST authority is required to the journal if object-name is omitted or if object-name specifies an object that no longer exists.
If object-name is *ALL, you must be authorized to every object associated with a journal entry.

Using the RUN SQL Scripts tool, run the following SQL Statement:

  SELECT object AS command,
       Job_name,
       job_user,
       job_number,
       entry_timestamp,
       SUBSTR(CAST(entry_data AS CHAR(2048)), 31, 1000) AS command_string
    FROM TABLE (
            QSYS2.DISPLAY_JOURNAL(
                JOURNAL_LIBRARY => 'QSYS',
                JOURNAL_NAME => 'QAUDJRN',
                STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => 'CD',
                STARTING_TIMESTAMP => '2020-07-09 08:00:00.000000', ENDING_TIMESTAMP => '2020-07-09 08:14:00')
        )
    WHERE object LIKE '%SCDE%'

Note 1: Modify the time and date on the SQL to the wanted one.

Note 2: If Hexadecimal data is displayed on the report, you need to change the JDBC connection properties to translate the CCSID to 65535. On the Run SQL tool, select the Connection Menu > JDBC Connection > Edit > Translation and click on Translate CCSID 65535. Save the connection and reconnect to run the SQL.

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2;7.3;7.4","Line of Business":{"code":"LOB57","label":"Power"}}]

Was this topic helpful?

Document Information

More support for:
IBM i

Component:
Security

Software version:
7.2, 7.3, 7.4

Operating system(s):
IBM i

Document number:
6245364

Modified date:
16 February 2022

UID

ibm16245364

IBM Support

Tips