IBM Support

Tracking the use of Save Operation commands.

Question & Answer


Question

How to you track the use of the commands that perform Save Operations on the System.

Answer

By turning on Object Auditing on the Save Operation Commands, we can track who is using the commands to save data on the system.

Before you start, verify that the QAUDJRN exist and that you are tracking of object usage operations.

Use the DSPSECAUD command and make sure the following settings are configured on your system:

  Security journal QAUDJRN exists . . . . . :   YES    
Current QAUDCTL system value  . . . . . . :  *OBJAUD
If not there, use the CHGSECAUD command to add them to your system.

Step 1.
Turn on object auditing on the commands that are used to save objects:

  CHGOBJAUD OBJ(SAVOBJ) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVLIB) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVSYS) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVCFG) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVJ) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVDLOJ) OBJTYPE(*CMD) OBJAUD(*ALL)   
CHGOBJAUD OBJ(SAVSECDTA) OBJTYPE(*CMD) OBJAUD(*ALL)
Note:  You can add additional Save Commands if needed.

Step 2
Using the SQL DISPLAY_JOURNAL table function you can create a report for save operations.

Authorization:
  • You must have *USE authority to the journal and to all requested journal receivers.
  • *OBJEXIST authority is required to the journal if object-name is omitted or if object-name specifies an object that no longer exists.
  • If object-name is *ALL, you must be authorized to every object associated with a journal entry.
Using the RUN SQL Scripts tool, run the following SQL Statement:

  SELECT object AS command,
       Job_name,
       job_user,
       job_number,
       entry_timestamp,
       SUBSTR(CAST(entry_data AS CHAR(2048)), 31, 1000) AS command_string
    FROM TABLE (
            QSYS2.DISPLAY_JOURNAL(
                JOURNAL_LIBRARY => 'QSYS',
                JOURNAL_NAME => 'QAUDJRN',
                STARTING_RECEIVER_NAME => '*CURCHAIN', JOURNAL_ENTRY_TYPES => 'CD',
                STARTING_TIMESTAMP => '2020-07-08 07:00:00.000000', ENDING_TIMESTAMP => '2020-07-08 09:52:00')
        )
    WHERE object LIKE '%SAV%'

image 4983

Note 1: Modify the time and date on the SQL to the wanted one.
Note 2:  If Hexadecimal data is displayed in the report, you need to change the JDBC connection properties to translate the CCSID to 65535.   On the Run SQL tool, select the Connection Menu > JDBC Connection > Edit > Translation and click on Translate CCSID 65535.  Save the connection and reconnect to run the SQL.

Note 3:  You need to keep the '%' at both the beginning and after on the SAV command.



[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z0000000CHyAAM","label":"Security"}],"ARM Case Number":"TS003914593","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.2;7.3;7.4","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

More support for:
IBM i

Component:
Security

Software version:
7.2, 7.3, 7.4

Operating system(s):
IBM i

Document number:
6244984

Modified date:
11 November 2020

UID

ibm16244984

Manage My Notification Subscriptions

Page Feedback