IBM Support

Creating a report for Audit Activity on an IFS Directory

How To


Summary

Create a report that lists all Audit activity on an IFS Directory.

Objective

Use the SQL Service table function QSYS2.DISPLAY_JOURNAL() to create a report of activity in IFS objects.

Environment

The DISPLAY_JOURNAL() SQL function is only available on R720 and later releases of the Operating System.  

Steps

First, verify that the QAUDJRN journal exists and that you are tracking for Audit operations. Use the DSPSECAUD command and make sure the following settings are configured on your system:
  
  Security journal QAUDJRN exists . . . . . :  YES    
Current QAUDCTL system value  . . . . . . : *AUDLVL *OBJAUD
Current QAUDLVL system value  . . . . . . : *CREATE *DELETE *AUTFAIL *SAVRST *SECRUN *OBJMGT *SECURITY
 
If not listed, use the CHGSECAUD command to add them to your system.  The values for the QAUDLVL system value track the most common IFS operations on the System. 
Next, to start auditing Read and Change Operations on a specific IFS object, enable auditing with the following command:
CHGAUD OBJ('/home/v6castil/aut2.txt') OBJAUD(*ALL)
The following command enables auditing for read and change operations for all newly created objects in the directory /home/DirA:
CHGATR OBJ('/home/DirA/') ATR(*CRTOBJAUD) VALUE(*ALL)
Finally, query the audit journal once there has been activity against the IFS object(s).
Example for a directory on the IFS: 
The following sample report shows all audit activity for the /home directory and for all active AUDIT types:
Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP AS Time_stamp,
       JOURNAL_ENTRY_TYPE AS Audit_type,
       SUBSTR(CAST(entry_data AS CHAR(2048)), 1, 1) AS Entry_type,
       USER_NAME,
       JOB_NAME,
       JOB_USER,
       JOB_NUMBER,
       "CURRENT_USER",
       PATH_NAME,
       SUBSTR(CAST(entry_data AS CHAR(12096)), 6482, 5000) AS New_path_name
    FROM TABLE (
            QSYS2.DISPLAY_JOURNAL(
                JOURNAL_LIBRARY => 'QSYS',
                JOURNAL_NAME => 'QAUDJRN',
                STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => '*ALL', STARTING_TIMESTAMP => '2022-05-18 07:00:00',
                ENDING_TIMESTAMP => '2022-05-18 08:39:00')
--change date/time as appropriate
        )
    WHERE PATH_NAME LIKE '/home/%' or PATH_NAME like '/HOME/%';
image-20220518111805-1
Note 1: Specify the PATH_NAME field in all uppercase letters and lowercase letters.
Note 2: Modify the time and date on the query as appropriate.
Note 3: If Hexadecimal data is displayed in the query output, change the JDBC connection properties to translate the CCSID from 65535. On the Run SQL tool, select the Connection Menu > Connected > Edit JDBC Connection > Translation and click on Translate CCSID 65535. Save the connection and reconnect to run the SQL.

Example for the /root directory on the IFS: 

The following sample report shows all audit activity for the '/'  root  directory and for all active AUDIT types:
Using the Run SQL Scripts tool, run the following SQL Statement:
SELECT ENTRY_TIMESTAMP AS Time_stamp,
       JOURNAL_ENTRY_TYPE AS Audit_type,
       SUBSTR(CAST(entry_data AS CHAR(2048)), 1, 1) AS Entry_type,
       USER_NAME,
       JOB_NAME,
       JOB_USER,
       JOB_NUMBER,
       "CURRENT_USER",
       PATH_NAME,
       SUBSTR(CAST(entry_data AS CHAR(12096)), 6482, 5000) AS New_path_name
    FROM TABLE (
            QSYS2.DISPLAY_JOURNAL(
                JOURNAL_LIBRARY => 'QSYS',
                JOURNAL_NAME => 'QAUDJRN',
                STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => '*ALL', STARTING_TIMESTAMP => '2022-08-12 06:50:00',
                ENDING_TIMESTAMP => '2022-08-17 07:02:00')
--change date/time as appropriate
        )
    WHERE PATH_NAME NOT LIKE '/%/'
          AND path_name NOT LIKE '/%/%';
image-20220817073919-1

Additional Information

Authorization:
  • You must have *USE authority to the journal and to all requested journal receivers.
  • *OBJEXIST authority is required to the journal if object-name is omitted or if object-name specifies an object that no longer exists.
  • If object-name is *ALL, you must be authorized to every object associated with a journal entry.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2.0;7.3.0;7.4.0;7.5.0"}]

Document Information

Modified date:
21 March 2023

UID

ibm16587511

Page Feedback