IBM Support

Auditing the Use Of Programs

Question & Answer


Question

How do you audit the use operation of programs on the System.

Answer

According to the Security Reference manual,  the IBM i operating system provides the ability to log accesses to an object in the security audit journal. This is called object auditing. This document describes how to enable  object auditing on a program object and how to analyze the results.

Chapter 9 of the Security Reference  manual,  documents the use of the CHGOBJAUD command. 
 
Step 1: Enabling Object Auditing on the System.
 
First, verify that the QAUDJRN journal exists and that you are tracking for Object Auditing operations *OBJAUD. Use the DSPSECAUD command and make sure the following settings are configured on your system:
  
  Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . : *AUDLVL *OBJAUD
 
If not listed, use the CHGSECAUD command to add them to your system.  The value *OBJAUD for the QAUDCTL system value is required to audit the use of objects.  
 
Step 2: Enabling Object Auditing on Program Objects:
 
Enable object auditing on the program object:
CHGOBJAUD OBJ(V6CASTIL/ADPAUT) OBJTYPE(*PGM) OBJAUD(*ALL)
NOTE: For this example, we are turning on auditing on the program ADPAUT in library V6CASTIL, replace the object name, library on the program object to be audited. 
NOTE 2: Repeat for any other program objects.
 
Step 3: Analyzing the Results:   
 
For releases 7.4, 7.5:
 
NOTE:  This SQL sample uses the AUDIT_JOURNAL_ZR table function only available on Releases  7.4 and 7.5.  For older releases, you can use the CPYAUDJNRE command. 
NOTE 2: The SQL table function is available with the following PTFs:
  • V7.6: Base
  • R750:  Base, Enhanced: SF99950 Level 3
  • R740:  SF99704 Level 13, Enhanced: SF99704 Level 23
 
Step 1:  Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP,
       JOB_NAME,
       JOB_USER,
       JOB_NUMBER,
       OBJECT_NAME AS Program_name,
       LIBRARY_NAME AS Library_name,
       OBJECT_TYPE,
       ENTRY_TYPE,
       ENTRY_TYPE_DETAIL,
       ACCESS_TYPE,
       ACCESS_TYPE_DETAIL
    FROM TABLE (
            SYSTOOLS.AUDIT_JOURNAL_ZR(STARTING_TIMESTAMP => CURRENT TIMESTAMP - 7 DAYS)
        )
    WHERE OBJECT_TYPE = '*PGM'
image-20250312083543-1
NOTE:  Adjust the Time Frame on the SQL. The sample uses a period of 7 days.

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS018724062","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.4.0;7.5.0;7.6.0"}]

Document Information

Modified date:
17 April 2025

UID

ibm17185538

Page Feedback