Extend CD (Command String) journal entries
The IBM i operating system allows customers to track the CL commands that are being run by a user. Auditing needs to be active before command-level auditing can be done. The Change Security Auditing (CHGSECAUD) command allows you to change the current settings for the system values that control what is being audited on the system. To turn on command-level auditing for a user profile, run the Change User Audit (CHGUSRAUD) command specifying the user profile name for the USRPRF parameter and *CMD for the AUDLVL parameter. This will cause CD (Command String) audit records to be generated for each CL command run by the specified user profile. The model file QASYCDJ5 describes the fields in CD audit records. One of these fields, CDCLP, has been redefined to convey more information concerning how the audited CL command was run.
The change to CDCLP was made via PTF to the 7.1 (SI44865) release of IBM i.
Before the PTF, CDCLP was 'Y' if the command was run from a compiled OPM CL program, a compiled ILE CL module that is part of an ILE program or service program, or an interpreted REXX procedure; in all other cases CDCLP was 'N'. The documentation for this field in the IBM i Information Center describes this field as 'Run from a CL program' with 'Y' and 'N' possible values.
After the PTF is applied, the CDCLP field will still have a value of 'Y' if the CL command is run from a compiled CL object, which could be an OPM CL program or an ILE CL module bound into an ILE program or service program. CDCLP will have a value of 'R' to indicate that the CL command is being run from an interpreted REXX procedure. CDCLP will have a value of 'E' to indicate that the command was submitted by passing the command string as a parameter to one of the Command Analyzer APIs: QCMDEXC, QCAPCMD, or QCAEXEC. CDCLP will have a value of 'B' when the command is not being run from compiled CL or interpreted REXX or through a Command Analyzer API, and is in a batch job. The typical cases for a 'B' value would be if the command is in a batch job stream run by using the Start Database Reader (STRDBRDR) or Submit Database Job (SBMDBJOB) command, or is specified for the CMD (Command to run) parameter on a Submit Job (SBMJOB) command. The current value of 'N' will indicate that the command was run interactively from a command line or by choosing a menu option that runs a CL command.
The new values for the CDCLP field map to the values for the ALLOW (Where allowed to run) parameter on the Create Command (CRTCMD) command as follows:
'Y' maps to *IPGM, *BPGM, *IMOD, *BMOD
'R' maps to *IREXX, *BREXX
'E' maps to *EXEC
'B' maps to *BATCH
'N' maps to *INTERACT
Code that checks the CDCLP field for values of 'Y' and 'N' should be examined to see if any of the new field values need to also be checked for.
1) The CD audit record also contains field CDETYP which is normally a ‘C’ (Command run). If the command is run through a proxy command, there will be an ‘X’ (Proxy command) audit record followed by a ‘C’ audit record. If the command that is run was changed to a different command by an exit program registered for the command, the CDETYP field will be ‘S’ (Substitute command) instead of ‘C’.
2) The entry-specific data for a proxy command (‘X’ entry type) will always be 30 bytes long and consist of an entry type of ‘X’ followed by the proxy command name and library name followed an 8-character object type value of *CMD followed by the CDCLP field.
3) The entry-specific data for a regular command (‘C’ entry type) or substituted command (‘S’ entry type) will be at least 30 bytes long. In addition, the audit record will contain a copy of the CL command string being run, unless the command is in a CL program or CL procedure compiled with LOG(*NO). If the command being run was in a library on an independent auxiliary storage pool, the entry-specific data will be 6045 bytes consisting of the standard 30-byte header followed by 6000 bytes for the CL command string followed by the independent ASP device name followed by the 5-digit independent ASP number.
Reference material IBM i Knowledge Center:
IBM i 7.4 -CD (Command String) journal entries documentation
09 January 2020