Change User Auditing (CHGUSRAUD)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The CHGUSRAUD (Change User Audit) command allows a user with audit (*AUDIT) special authority to set up or change auditing for a user. The system value QAUDCTL controls turning auditing on and off. The auditing attributes of a user profile can be displayed with the Display User Profile (DSPUSRPRF) command.
Note: The changes made by CHGUSRAUD take effect the next time a job is started for this user.
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| USRPRF | User profile | Values (up to 50 repetitions): Simple name | Required, Positional 1 |
| OBJAUD | Object auditing value | *SAME, *NONE, *CHANGE, *ALL | Optional, Positional 2 |
| AUDLVL | User action auditing | Single values: *SAME, *NONE Other values (up to 31 repetitions): *AUTFAIL, *CMD, *CREATE, *DELETE, *JOBBAS, *JOBCHGUSR, *JOBDTA, *NETBAS, *NETCLU, *NETCMN, *NETFAIL, *NETSCK, *OBJMGT, *OFCSRV, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECIPC, *SECNAS, *SECRUN, *SECSCKD, *SECURITY, *SECVFY, *SECVLDL, *SERVICE, *SPLFDTA, *SYSMGT |
Optional, Positional 3 |
| Top |
User profile (USRPRF)
Specifies one or more user profiles whose auditing values are to be changed. A maximum of 50 user names can be specified.
This is a required parameter.
| Top |
Object auditing value (OBJAUD)
Specifies the object auditing value for the user. This value only takes effect if the object auditing (OBJAUD) value for the object to be accessed has the value *USRPRF.
- *SAME
- The value does not change.
- *NONE
- The auditing value for the object determines when auditing is performed.
- *CHANGE
- All change accesses by this user on all objects with the *USRPRF audit value are logged.
- *ALL
- All change and read accesses by this user on all objects with the *USRPRF audit value are logged.
| Top |
User action auditing (AUDLVL)
Specifies the level of activity that is audited for this user profile.
Note: The system values QAUDLVL and QAUDLVL2 are used in conjunction with this parameter. For example, if QAUDLVL is set to *DELETE and AUDLVL is set to *CREATE, then both *DELETE and *CREATE would be audited for this user. The default value for the QAUDLVL and QAUDLVL2 system values is *NONE.
Single values
- *SAME
- The value does not change.
- *NONE
- No auditing level is specified. The auditing level for this user is taken from system values QAUDLVL and QAUDLVL2.
Other values (up to 31 repetitions)
- *AUTFAIL
- Authorization failures are audited. The following are some examples:
- All access failures (authorization, job submission)
- Incorrect password entered with a command such as CHKPWD or on a call to an API.
The following will not be audited during an interactive sign-on unless the QAUDLVL or QAUDLVL2 system values include *AUTFAIL, or unless *AUTFAIL has been specified for the QSYS user profile with the Change User Audit (CHGUSRAUD) command:
- Password not valid
- User name not valid
- Attempted signon (user authentication) failed because user profile is disabled.
- *CMD
- CL command strings, System/36 environment operator control commands, and System/36 environment procedures are logged for this user.
- *CREATE
- All object creations are audited. Objects created into library QTEMP are not audited. The following are some examples:
- Newly-created objects
- Objects created to replace an existing object
- *DELETE
- All deletions of external objects on the system are audited. Objects deleted from library QTEMP are not audited.
- *JOBBAS
- Job base functions are audited. The following are some examples:
- Job start and stop data
- Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
- *JOBCHGUSR
- Changes to a thread's active user profile or its group profiles are audited.
- *JOBDTA
- Actions that affect a job are audited. The following are some examples:
- Job start and stop data
- Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
- Changing a thread's active user profile or group profiles
Note: *JOBDTA is composed of two values to allow you to better customize your auditing. If you specify both of the values, you will get the same auditing as if you specified *JOBDTA. The following values make up *JOBDTA.
- *JOBBAS
- *JOBCHGUSR
- *NETBAS
- Network base functions are audited. The following are some examples:
- IP rules actions
- Sockets connections
- APPN Directory search filter
- APPN end point filter
- *NETCLU
- Cluster or cluster resource group operations are audited. The following are some examples:
- Add, create, and delete
- Distribution
- End
- Fail over
- List information
- Removal
- Start
- Switch
- Update attributes
- *NETCMN
- Networking and communications functions are audited. The following are some examples:
- Network base functions (See *NETBAS)
- Cluster or cluster resource group operations (See *NETCLU)
- Network failures (See *NETFAIL)
- Sockets functions (See *NETSCK)
Note: *NETCMN is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *NETCMN. The following values make up *NETCMN.
- *NETBAS
- *NETCLU
- *NETFAIL
- *NETSCK
- *NETFAIL
- Network failures are audited. The following are some examples:
- Socket port not available
- *NETSCK
- Sockets tasks are audited. The following are some examples:
- Accept
- Connect
- Filtered mail
- Reject mail
- *OBJMGT
- Generic object tasks are audited. The following are some examples:
- Moves of objects
- Renames of objects
- *OFCSRV
- OfficeVision are audited. The following are some examples:
- Changes to the system distribution directory
- Tasks involving electronic mail
- *OPTICAL
- All optical functions are audited. The following are some examples:
- Add or remove optical cartridge
- Change the authorization list used to secure an optical volume
- Open optical file or directory
- Create or delete optical directory
- Change or retrieve optical directory attributes
- Copy, move, or rename optical file
- Copy optical directory
- Back up optical volume
- Initialize or rename optical volume
- Convert backup optical volume to a primary volume
- Save or release held optical file
- Absolute read of an optical volume
- *PGMADP
- Adopting authority from a program owner is audited.
- *PGMFAIL
- Program failures are audited. The following are some examples:
- Blocked instruction
- Validation value failure
- Domain violation
- *PRTDTA
- Printing functions with parameter SPOOL(*NO) are audited.
- *SAVRST
- Save and restore information is audited. The following are some examples:
- When programs that adopt their owner's user profile are restored
- When job descriptions that contain user names are restored
- When ownership and authority information changes for objects that are restored
- When the authority for user profiles is restored
- When a system state program is restored
- When a system command is restored
- When an object is restored
- *SECCFG
- Security configuration is audited. The following are some examples:
- Create, change, delete, and restore operations of user profiles
- Changes to programs (CHGPGM) that will now adopt the owner's profile
- Changes to system values, environment variables and network attributes
- Changes to subsystem routing
- When the QSECOFR password is reset to the shipped value from DST
- When the password for the service tools security officer user ID is requested to be defaulted.
- Changes to the auditing attribute of an object
- *SECDIRSRV
- Changes or updates when doing directory service functions are audited. The following are some examples:
- Audit change
- Successful bind
- Authority change
- Password change
- Ownership change
- Successful unbind
- *SECIPC
- Changes to interprocess communications are audited. The following are some examples:
- Ownership or authority of an IPC object changed
- Create, delete or get of an IPC object
- Shared memory attach
- *SECNAS
- Network authentication service actions are audited. The following are some examples:
- Service ticket valid
- Service principals do not match
- Client principals do not match
- Ticket IP address mismatch
- Decryption of the ticket failed
- Decryption of the authenticator failed
- Realm is not within client and local realms
- Ticket is a replay attempt
- Ticket not yet valid
- Remote or local IP address mismatch
- Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
- KRB_AP_PRIV or KRB_AP_SAFE - timestamp error, replay error, sequence order error
- GSS accept - expired credentials, checksum error, channel bindings
- GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, sequence error
- *SECRUN
- Security run time functions are audited. The following are some examples:
- Changes to object ownership
- Changes to authorization list or object authority
- Changes to the primary group of an object
- *SECSCKD
- Socket descriptors are audited. The following are some examples:
- A socket descriptor was given to another job
- Receive descriptor
- Unable to use descriptor
- *SECURITY
- All security-related functions are audited.
- Security configuration (See *SECCFG)
- Changes or updates when doing directory service functions (See *SECDIRSRV)
- Changes to interprocess communications (See *SECIPC)
- Network authentication service actions (See *SECNAS)
- Security run time functions (See *SECRUN)
- Socket descriptor (See *SECSCKD)
- Use of verification functions (See *SECVFY)
- Changes to validation list objects (See *SECVLDL)
Note: *SECURITY is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *SECURITY. The following values make up *SECURITY.
- *SECCFG
- *SECDIRSRV
- *SECIPC
- *SECNAS
- *SECRUN
- *SECSCKD
- *SECVFY
- *SECVLDL
- *SECVFY
- Use of verification functions are audited. The following are some examples:
- A target user profile was changed during a pass-through session
- A profile handle was generated
- All profile tokens were invalidated
- Maximum number of profile tokens has been generated
- A profile token has been generated
- All profile tokens for a user have been removed
- User profile authenticated
- An office user started or ended work on behalf of another user
- *SECVLDL
- Changes to validation list objects are audited. The following are some examples:
- Add, change, remove of a validation list entry
- Find of a validation list entry
- Successful and unsuccessful verify of a validation list entry
- *SERVICE
- For a list of all the service commands and API calls that are audited, see the System i Security Reference, SC41-5302 publication.
- *SPLFDTA
- Spooled file functions are audited. The following are some examples:
- Create, delete, display, copy, hold, and release a spooled file
- Get data from a spooled file (QSPGETSP)
- Change spooled file attributes (CHGSPLFA command)
- *SYSMGT
- System management tasks are audited. The following are some examples:
- Hierarchical file system registration
- Changes for Operational Assistant functions
- Changes to the system reply list
- Changes to the DRDA relational database directory
- Network file operations
| Top |
Examples
CHGUSRAUD USRPRF(FRED) OBJAUD(*CHANGE)
AUDLVL(*CREATE *DELETE)
This command changes the auditing value in the user profile of the user FRED. All objects whose object auditing value is *USRPRF are audited when they are changed by user FRED. All objects that are created and all objects that are deleted will be audited for user FRED. Auditing records are sent to the auditing journal QAUDJRN in QSYS.
| Top |
Error messages
*ESCAPE Messages
- CPF22B0
- Not authorized to change the auditing value.
- CPF22CC
- Auditing value not changed for some user profiles.
| Top |