Action auditing values
This table lists the possible values available on the QAUDLVL and QAUDLVL2 system values and the CHGUSRAUD command when auditing actions of the system.
Possible value | Available on QAUDLVL and QAUDLVL2 system values | Available on CHGUSRAUD command | Description |
---|---|---|---|
*NONE | Yes | Yes | If the QAUDLVL system value is *NONE, no
actions are logged on a system-wide basis. Actions are logged for individual
users based on the AUDLVL value in their user profiles. If the AUDLVL value in a user profile is *NONE, no additional action auditing is done for this user. Any actions specified for the QAUDLVL system value are logged for this user. |
*ATNEVT | Yes | No | Attention events: The system writes a journal entry for events that require further examination. With this information, you can determine the potential significance of the attention event to the system. |
*AUTFAIL | Yes | Yes | Authorization failures: Unsuccessful attempts to sign on the system and to access objects are logged. *AUTFAIL can be used regularly to monitor users trying to perform unauthorized functions on the system. *AUTFAIL can also be used to assist with migration to a higher security level and to test resource security for a new application. |
*CMD | No | Yes | Commands: The system logs command strings run by a user. If a command is run from a CL program that is created with LOG(*NO) and ALWRTVSRC(*NO), then only the command name and library name are logged. *CMD can be used to record the actions of a particular user, such as the security officer. |
*CREATE | Yes | Yes | Creating objects: The system writes a journal entry when a new or replacement object is created. *CREATE can be used to monitor when programs are created or recompiled. |
*DELETE | Yes | Yes | Deleting objects: The system writes a journal entry when an object is deleted. |
*JOBBAS | Yes | Yes | Job base functions: Actions that affect a job are logged, such as starting or stopping a job, holding, releasing, canceling, or changing the job. |
*JOBCHGUSR | Yes | Yes | Job change user: Changes to a thread's active user profile or its group profiles are logged. |
*JOBDTA | Yes | Yes | Job tasks: Actions that affect a job
are logged, such as starting or stopping a job, holding, releasing, canceling,
or changing the job, changing the thread's active user profile or group profile.
*JOBDTA can be used to monitor who is running batch jobs. *JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing. |
*NETBAS | Yes | Yes | Network base functions: IP rules actions, sockets connections, APPN directory search filter, APPN end point filter. |
*NETCLU | Yes | Yes | Cluster or cluster resource
group operations: An audit journal entry is written when any of these
events occur:
|
*NETCMN | Yes | Yes | Network communications auditing: The
violations detected by the APPN Filter support are logged to the security
auditing journal when the Directory search filter and the End point filter
are audited. *NETCMN is composed of several values to allow you to better
customize your auditing. The following values make up *NETCMN:
*NETBAS |
*NETFAIL | Yes | Yes | Network failures: An audit journal entry is written when trying to connect to a TCP/IP port that does not exist, or trying to send information to a TCP/IP port that is not open or available. |
*NETSCK | Yes | Yes | Socket tasks: An
audit journal entry is written when any of these events occur:
|
*OBJMGT | Yes | Yes | Object management tasks: Moving an object to a different library or renaming it is logged. *OBJMGT can be used to detect copying confidential information by moving the object to a different library. |
*OPTICAL | Yes | Yes | Optical functions: All optical functions are audited, including functions related to optical files, optical directories, optical volumes, and optical cartridges. *OPTICAL can be used to detect attempts to create or delete an optical directory. |
*PGMADP | Yes | Yes | Adopting authority: The system writes a journal entry when adopted authority is used to gain access to an object. *PGMADP can be used to test where and how a new application uses adopted authority. |
*PGMFAIL | Yes | Yes | Program failures: The system writes a journal entry when a program causes an integrity error. *PGMFAIL can be used to assist with migration to a higher security level or to test a new application. |
*PRTDTA | Yes | Yes | Printing functions: Printing a spooled file, printing directly from a program, or sending a spooled file to a remote printer is logged. *PRTDTA can be used to detect printing confidential information. |
*SAVRST | Yes | Yes | Restore operations: *SAVRST can be used to detect attempts to restore unauthorized objects. |
*SECCFG | Yes | Yes | Security configuration:
An audit journal entry is written when any of these events occur:
|
*SECDIRSRV | Yes | Yes | Directory service functions:
An audit journal entry is written when any of these events occur:
|
*SECIPC | Yes | Yes | Interprocess communications:
An audit journal entry is written when any of these events occur:
|
*SECNAS | Yes | Yes | Network authentication
service actions: An audit journal entry is written when any of these events
occur:
|
*SECRUN | Yes | Yes | Security runtime functions: Changes to object ownership, authority, and primary group are written to the audit journal. |
*SECSCKD | Yes | Yes | Socket descriptors:
An audit journal entry is written when any of these events occur:
|
*SECVFY | Yes | Yes | Verification functions:
An audit journal entry is written when any of these events occur:
|
*SECVLDL | Yes | Yes | Validation list operations:
An audit journal entry is written when any of these events occur:
|
*SECURITY | Yes | Yes | Security tasks: Security-relevant
events, such as changing a user profile or system value, are logged. *SECURITY
can be used to keep a record of all security activity. *SECURITY is composed
of several values to allow you to better customize your auditing. The following
values make up *SECURITY:
*SECCFG |
*SERVICE | Yes | Yes | Service tasks: The use of service tools, such as DMPOBJ (Dump Object) and STRCPYSCN (Start Copy Screen), is logged. *SERVICE can be used to detect attempts to circumvent security by using service tools. |
*SPLFDTA | Yes | Yes | Operations on spooled files: Actions performed on spooled files are logged, including creating, copying, and sending. *SPLFDTA can be used to detect attempts to print or send confidential data. |
*SYSMGT | Yes | Yes | Systems management tasks: The system writes a journal entry for systems management activities, such as changing a reply list or the power on/off schedule. *SYSMGT can be used to detect attempts to use systems management functions to circumvent security controls. |