Action auditing values

This table lists the possible values available on the QAUDLVL and QAUDLVL2 system values and the CHGUSRAUD command when auditing actions of the system.

Table 1. Action auditing values
Possible value Available on QAUDLVL and QAUDLVL2 system values Available on CHGUSRAUD command Description
*NONE Yes Yes If the QAUDLVL system value is *NONE, no actions are logged on a system-wide basis. Actions are logged for individual users based on the AUDLVL value in their user profiles.

If the AUDLVL value in a user profile is *NONE, no additional action auditing is done for this user. Any actions specified for the QAUDLVL system value are logged for this user.
*ATNEVT Yes No Attention events: The system writes a journal entry for events that require further examination. With this information, you can determine the potential significance of the attention event to the system.
*AUTFAIL Yes Yes Authorization failures: Unsuccessful attempts to sign on the system and to access objects are logged. *AUTFAIL can be used regularly to monitor users trying to perform unauthorized functions on the system. *AUTFAIL can also be used to assist with migration to a higher security level and to test resource security for a new application.
*CMD No Yes Commands: The system logs command strings run by a user. If a command is run from a CL program that is created with LOG(*NO) and ALWRTVSRC(*NO), then only the command name and library name are logged. *CMD can be used to record the actions of a particular user, such as the security officer.
*CREATE Yes Yes Creating objects: The system writes a journal entry when a new or replacement object is created. *CREATE can be used to monitor when programs are created or recompiled.
*DELETE Yes Yes Deleting objects: The system writes a journal entry when an object is deleted.
*JOBBAS Yes Yes Job base functions: Actions that affect a job are logged, such as starting or stopping a job, holding, releasing, canceling, or changing the job.
*JOBCHGUSR Yes Yes Job change user: Changes to a thread's active user profile or its group profiles are logged.
*JOBDTA Yes Yes Job tasks: Actions that affect a job are logged, such as starting or stopping a job, holding, releasing, canceling, or changing the job, changing the thread's active user profile or group profile. *JOBDTA can be used to monitor who is running batch jobs.

*JOBDTA is composed of two values, which are *JOBBAS and *JOBCHGUSR, to enable you to better customize your auditing.
*NETBAS Yes Yes Network base functions: IP rules actions, sockets connections, APPN directory search filter, APPN end point filter.
*NETCLU Yes Yes Cluster or cluster resource group operations: An audit journal entry is written when any of these events occur:
  • A cluster node or cluster resource group is added, created, or deleted.
  • A cluster node or cluster resource group is started, ended, updated, or removed.
  • Automatic failure of a system that switches access to another system.
  • Access is manually switched from one system to another system in a cluster.
*NETCMN Yes Yes Network communications auditing: The violations detected by the APPN Filter support are logged to the security auditing journal when the Directory search filter and the End point filter are audited.
*NETCMN is composed of several values to allow you to better customize your auditing. The following values make up *NETCMN:

*NETBAS
*NETCLU
*NETFAIL
*NETSCK
*NETFAIL Yes Yes Network failures: An audit journal entry is written when trying to connect to a TCP/IP port that does not exist, or trying to send information to a TCP/IP port that is not open or available.
*NETSCK Yes Yes Socket tasks: An audit journal entry is written when any of these events occur:
  • An inbound TCP/IP socket connection is accepted.
  • An outbound TCP/IP socket connection is established.
  • An IP address is assigned through DHCP (Dynamic Host Configuration Protocol).
  • An IP address is unable to be assigned through DHCP because all of the IP addresses are being used.
  • Mail is filtered or rejected.
*OBJMGT Yes Yes Object management tasks: Moving an object to a different library or renaming it is logged. *OBJMGT can be used to detect copying confidential information by moving the object to a different library.
*OPTICAL Yes Yes Optical functions: All optical functions are audited, including functions related to optical files, optical directories, optical volumes, and optical cartridges. *OPTICAL can be used to detect attempts to create or delete an optical directory.
*PGMADP Yes Yes Adopting authority: The system writes a journal entry when adopted authority is used to gain access to an object. *PGMADP can be used to test where and how a new application uses adopted authority.
*PGMFAIL Yes Yes Program failures: The system writes a journal entry when a program causes an integrity error. *PGMFAIL can be used to assist with migration to a higher security level or to test a new application.
*PRTDTA Yes Yes Printing functions: Printing a spooled file, printing directly from a program, or sending a spooled file to a remote printer is logged. *PRTDTA can be used to detect printing confidential information.
*SAVRST Yes Yes Restore operations: *SAVRST can be used to detect attempts to restore unauthorized objects.
*SECCFG Yes Yes Security configuration: An audit journal entry is written when any of these events occur:
  • User profiles are created, changed, deleted, or restored.
  • Changes are made to programs, system values, subsystem routing, or to the auditing attributes of an object.
  • The QSECOFR password is reset to the shipped value.
  • The service tools security officer password is defaulted.
*SECDIRSRV Yes Yes Directory service functions: An audit journal entry is written when any of these events occur:
  • Changes or updates are made to auditing, authority, passwords, and ownership.
  • Successful binds and unbinds.
  • Changes are made to directory security policies (for example, password policy)
*SECIPC Yes Yes Interprocess communications: An audit journal entry is written when any of these events occur:
  • Changes are made to the ownership or authority of an IPC object.
  • A create, delete, or retrieve of an IPC object.
  • Shared memory attach.
*SECNAS Yes Yes Network authentication service actions: An audit journal entry is written when any of these events occur:
  • Service ticket invalid.
  • Service principals do not match.
  • Client principals do not match.
  • Ticket IP address mismatch.
  • Decryption of the ticket failed.
  • Decryption of the authentication failed.
  • Realm is not within client and local realms.
  • Ticket is a replay attempt.
  • Ticket not yet valid.
  • Remote or local IP address mismatch.
  • Decryption of KRB_AP_PRIV or KRB_AP_SAFE checksum error.
  • For KRB_AP_PRIV or KRB_AP_SAFE: Timestamp error, replay error, or sequence order error.
  • For graphics symbol set accept: Expired credentials, checksum error, or channel bindings.
  • For graphics symbol set unwrap or graphics symbol set verify: Expired context, decrypt/decode, checksum error, or sequence error.
*SECRUN Yes Yes Security runtime functions: Changes to object ownership, authority, and primary group are written to the audit journal.
*SECSCKD Yes Yes Socket descriptors: An audit journal entry is written when any of these events occur:
  • A socket descriptor is given to another job.
  • A socket descriptor is received.
  • A socket descriptor is unusable.
*SECVFY Yes Yes Verification functions: An audit journal entry is written when any of these events occur:
  • A profile handle or token is generated.
  • All profile tokens were invalidated.
  • The maximum number of profile tokens has been generated.
  • All profile tokens for a user have been removed.
  • A user profile has been authenticated.
  • A target profile was changed during a pass-through session.
*SECVLDL Yes Yes Validation list operations: An audit journal entry is written when any of these events occur:
  • An add, change, remove, or find of a validation list entry.
  • Successful or unsuccessful verification of a validation list entry.
*SECURITY Yes Yes Security tasks: Security-relevant events, such as changing a user profile or system value, are logged. *SECURITY can be used to keep a record of all security activity.
*SECURITY is composed of several values to allow you to better customize your auditing. The following values make up *SECURITY:

*SECCFG
*SECDIRSRV
*SECIPC
*SECNAS
*SECRUN
*SECSCKD
*SECVFY
*SECVLDL
*SERVICE Yes Yes Service tasks: The use of service tools, such as DMPOBJ (Dump Object) and STRCPYSCN (Start Copy Screen), is logged. *SERVICE can be used to detect attempts to circumvent security by using service tools.
*SPLFDTA Yes Yes Operations on spooled files: Actions performed on spooled files are logged, including creating, copying, and sending. *SPLFDTA can be used to detect attempts to print or send confidential data.
*SYSMGT Yes Yes Systems management tasks: The system writes a journal entry for systems management activities, such as changing a reply list or the power on/off schedule. *SYSMGT can be used to detect attempts to use systems management functions to circumvent security controls.
Parent topic: Planning the auditing of actions