Question & Answer
Question
How do you audit User profiles for Command String Operations?
Cause
According to the Security Reference manual, the IBM i Operating System provides the ability to audit user profiles for Command String Operations. A user profile command usage is logged when commands are used via the Command Line or via Batch Jobs.
This document describes how to enable User Auditing and how to analyze the results.
Chapter 9 of the Security Reference manual, documents the use of the CHGUSRAUD command.
Chapter 9 of the Security Reference manual, documents the use of the CHGUSRAUD command.
Answer
First, verify that the QAUDJRN journal exists and that you are tracking for Object Auditing operations *OBJAUD. Use the DSPSECAUD command and make sure the following settings are configured on your system:
Security journal QAUDJRN exists . . . . . : YES
Current QAUDCTL system value . . . . . . : *OBJAUD If not listed, use the CHGSECAUD command to add them to your system. The value *OBJAUD for the QAUDCTL system value is required to audit the use or change of objects.
Auditing for User Profiles for Command String Operations:
Step 1. Turn on object auditing for the User Profile:
CHGUSRAUD USRPRF(HUGO) AUDLVL(*CMD)Note: For this example, we are turning on auditing for Command Strings operations for user profile HUGO. The command CHGUSRAUD can also be used to audit for other types of operations for user profiles.
Analyzing the Results.
Method 1 for releases 7.3, 7.4, 7.5,7.6:
NOTE: This SQL sample uses the AUDIT_JOURNAL_CD table function only available on Releases 7.3, 7.4, 7.5 and 7.6.
The SQL table function is available with the following PTFs:
- R760: Base
- R750: Base, Enhanced: SF99950 Level 3
- R740: SF99704 Level 15
- R730: SF99703 Level 26
Step 1: Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP,
JOB_NAME,
JOB_USER,
JOB_NUMBER,
USER_NAME,
ENTRY_TYPE,
ENTRY_TYPE_DETAIL,
OBJECT_LIBRARY,
OBJECT_NAME,
OBJECT_TYPE,
COMMAND_STRING
FROM TABLE (
SYSTOOLS.AUDIT_JOURNAL_CD(STARTING_TIMESTAMP => '2025-06-17 00:00:01', ENDING_TIMESTAMP => '2025-06-17 13:34:00')
)
WHERE USER_NAME = 'HUGO'
NOTE: Adjust the Time and Date.
NOTE 2: Replace HUGO with the name of the User Profile being audited. Use all uppercase letters for the name of the profile.
Method 2 for older releases:
- For older releases, refer to document Security: User Auditing Example.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.3.0;7.4.0;7.5.0;7.6.0"}]
Was this topic helpful?
Document Information
Modified date:
26 November 2025
UID
ibm17237027