myITforum and Windows IT Pro Forums
Forum Themes:
Welcome !

 QAUDJRN entries for SBMJOB

Author Message
rclark4i

  • Total Posts : 2
  • Scores: 0
  • Reward points : 540
  • Joined: 7/23/2017
  • Status: offline
QAUDJRN entries for SBMJOB Sunday, July 23, 2017 11:52 PM (permalink)
0
I have set OBJAUD to *ALL on the following object types associated with a SBMJOB:
*USRPRF
*JOBD
*JOBQ
*SBSD
*PGM (being called in CMD() of SBMJOB)
and also USRAUD to *ALL for both profiles: PGMRA and ALLOBJUSR
 
Then doing:
SBMJOB CMD(CALL PGM(AUDJRNLOG)) JOB(AUDJRNSBM) JOBD(MYJOBD) USER(ALLOBJUSR) CURLIB(*USRPRF) INLLIBL(*SYSVAL)
I get the following QAUDJRN entries:
ZC for *JOBQ QBATCH
ZR for *PGM AUDJRNLOG
but nothing for
*JOBD  MYJOBD
*USRPRF ALLOBJUSR or PGMRA.
 
System value QAUDCTL includes *OBJAUD
and QAUDLVL has: *CREATE  *AUTFAIL *SECCFG  *SECVFY  *SAVRST  *OBJMGT  *ATNEVT  *DELETE  *SYSMGT  *SECRUN  *SECVLDL
 
Objective: I'm wanting to trap when PGMRA submits a job to run under ALLOBJUSR, but there are no ZR or ZC entries.
I have added *JOBDTA to QAUDLVL, and this does give me an entry I can use, but it also adds a LOT of other fluff that I really don't want.
 
Am I being unrealistic to expect a V7R2 system to at least "read" a *USRPRF when a job is being submitted?
 
PS: The SBMJOB test was done after signing on following CHGUSRAUD for PGMRA
<message edited by rclark4i on Monday, July 24, 2017 12:11 AM>
 
#1
    jsev

    • Total Posts : 19
    • Scores: 2
    • Reward points : 39050
    • Joined: 11/19/2015
    • Status: offline
    Re:QAUDJRN entries for SBMJOB Monday, July 24, 2017 7:09 PM (permalink)
    0
    You should check the security reference manual.  I'm not on v7r2 but one of the appendices is "Object operations and auditing".
     
    For *JOBDs, it mentions under operations not audited:
    "Batch job
    When used to establish a job"
     
    Although the *USRPRF object isn't mentioned in regards to submitting batch jobs, I would suspect it won't be audited given most of the RTV* type commands aren't audited.
     
    I'm not sure what you mean by "and also USRAUD to *ALL for both profiles: PGMRA and ALLOBJUSR" but I suspect it's issuing the CHGUSRAUD against the profiles and setting object auditing to *ALL.  That doesn't cause the profiles to be audited, it means that if auditing on an object is set to *USRPRF, it will check the auditing value in the user profile to determine if the action should be audited or not.
     
    I haven't tested this but I wonder if setting command auditing for the profiles may be better?  If you issue CHGUSRAUD AUDLVL(*CMD) that will audit commands issued by the user.  It might be more useful?
     
    #2
      rclark4i

      • Total Posts : 2
      • Scores: 0
      • Reward points : 540
      • Joined: 7/23/2017
      • Status: offline
      Re:QAUDJRN entries for SBMJOB Wednesday, July 26, 2017 9:59 PM (permalink)
      0
      Jsev, thanks for this.
       
      "Object operations and auditing" - I have looked at that section, but hasn't really helped me. (but good for future ref)
      "*USRPRF object isn't mentioned in regards to submitting batch jobs" - No, but nor was a *JOBQ, but I am getting ZC entries for that. I was expecting that somewhere the *USRPRF would be "read" at the start of a job. Apparently not logged.
       
      "That doesn't cause the profiles to be audited" - understand and agree. Sorry I was a little too abbreviated. I meant I had both CHGUSRAUD to *ALL, and also CHGOBJAUD to *ALL for both *USRPRF objects. (leave no stone unturned)
       
      "command auditing for the profiles" - That's going to create a lot of extra QAUDJRN entries that I really don't want, but thanks for the suggestion.
       
      I'm thinking my best option is to put an "exit point" on the SBMJOB  *CMD via
      ADDEXITPGM EXITPNT(QIBM_QCA_CHG_COMMAND) FORMAT(CHGC0100) PGMNBR(1) PGM(MYLIB/MYPGM) PGMDTA(*JOB 10 SBMJOB)  (or similar) and check there to see if the job is being submitted to run under a different USRPRF.
      Will also look at the Job Notification QIBM_QWT_JOBNOTIFY exit point as well to see what that gives. (Though I suspect this will give a lot more invocations as it will include interactive and other jobs as well)
       
      Edit:
      I've also just discovered that if you
      CHGOBJAUD OBJ(SBMJOB) OBJTYPE(*CMD) OBJAUD(*ALL)
      Then instead of a ZR entry in QAUDJRN, you get a CD which includes the command string executed. This is just as useful as the ADDEXITPGM option.
      <message edited by rclark4i on Thursday, July 27, 2017 1:51 AM>
       
      #3
        Online Bookmarks Sharing: Share/Bookmark

        Jump to:

        Current active users

        There are 0 members and 1 guests.

        Icon Legend and Permission

        • New Messages
        • No New Messages
        • Hot Topic w/ New Messages
        • Hot Topic w/o New Messages
        • Locked w/ New Messages
        • Locked w/o New Messages
        • Read Message
        • Post New Thread
        • Reply to message
        • Post New Poll
        • Submit Vote
        • Post reward post
        • Delete my own posts
        • Delete my own threads
        • Rate post

        2000-2017 ASPPlayground.NET Forum Version 3.9