Change Security Auditing (CHGSECAUD)

Where allowed to run: All environments (*ALL)
Threadsafe: No
Parameters
Examples
Error messages

The Change Security Auditing (CHGSECAUD) command allows you to change the current settings for the system values that control what is being audited on the system. If the security audit journal, QAUDJRN, does not exist when the command is issued, the security journal and its initial journal receiver are created by this command.

Restriction: You must have *ALLOBJ and *AUDIT special authorities to use this command.

Top

Parameters

Keyword Description Choices Notes
QAUDCTL QAUDCTL system value Single values: *SAME, *ALL, *NONE
Other values (up to 3 repetitions): *OBJAUD, *AUDLVL, *NOQTEMP
Optional
QAUDLVL Auditing values Single values: *SAME, *ALL, *DFTSET, *NONE
Other values (up to 115 repetitions): *ATNEVT, *AUTFAIL, *CREATE, *DELETE, *JOBDTA, *NETBAS, *NETCLU, *NETCMN, *NETFAIL, *NETSCK, *OBJMGT, *OFCSRV, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECIPC, *SECNAS, *SECRUN, *SECSCKD, *SECURITY, *SECVFY, *SECVLDL, *SERVICE, *SPLFDTA, *SYSMGT
Optional
INLJRNRCV Initial journal receiver Qualified object name Optional
Qualifier 1: Initial journal receiver Name, AUDRCV0001
Qualifier 2: Library Name, QGPL, *CURLIB
Top

QAUDCTL system value (QAUDCTL)

The setting for the system value QAUDCTL.

Single values

*SAME
The QAUDCTL system value does not change.
*ALL
The QAUDCTL system value is given the value of *AUDLVL, *OBJAUD, and *NOQTEMP.

Other values (up to 3 repetitions)

*NOTAVL
The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
*NONE
No security auditing is done on the system. This is the shipped value.
*OBJAUD
Actions against objects that have an object audit value other than *NONE will be audited. An object's audit value is set through the Change Audit (CHGAUD) command or the Change Object Audit (CHGOBJAUD) command.
*AUDLVL
The actions specified in the QAUDLVL and QAUDLVL2 system values will be logged to the security journal. Also actions specified by a user profile's action auditing values will be audited. A user profile's action auditing values are set through the AUDLVL parameter on the Change User Audit (CHGUSRAUD) command.
*NOQTEMP
No auditing of most objects in QTEMP is done. You must specify *NOQTEMP with either *OBJAUD or *AUDLVL. You can not specify *NOQTEMP by itself.

Note:

Top

Auditing values (QAUDLVL)

The settings used for the system values QAUDLVL and QAUDLVL2.

If 16 values or less are specified, then these values will be set in system value QAUDLVL.

If more than 16 values are specified, then 15 of the specified values are set in system value QAUDLVL along with the value *AUDLVL2. The remaining values are set in system value QAUDLVL2.

Single values

*SAME
The system values do not change.
*ALL
All values are selected (except the values that are automatically included. Example - *SECURITY includes *SECCFG so *SECCFG is not added to the system value).
*DFTSET
The system value is given the value of *AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST.
*NONE
No security action auditing will occur on the system. This is the shipped value.

Other values (up to 115 repetitions)

*ATNEVT
Attention events are audited. Attention events are conditions that require further evaluation to determine the condition's security significance. The following is an example:
  • Intrusion monitor events need to be examined to determine whether the condition is an intrusion or a false positive
*AUTFAIL
Authorization failures are audited. The following are some examples:
  • All access failures (sign-on, authorization, job submission)
  • Incorrect password or user ID entered from a device
*CREATE
All object creations are audited. Objects created into library QTEMP are not audited. The following are some examples:
  • Newly-created objects
  • Objects created to replace an existing object
*DELETE
All deletions of external objects on the system are audited. Objects deleted from library QTEMP are not audited.
*JOBDTA
Actions that affect a job are audited. The following are some examples:
  • Job start and stop data
  • Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
  • Changing a thread's active user profile or group profiles
*NETBAS
Network base functions are audited. The following are some examples:
  • IP rules actions
  • Sockets connections
  • APPN Directory search filter
  • APPN end point filter
*NETCLU
Cluster or cluster resource group operations are audited. The following are some examples:
  • Add, create, and delete
  • Distribution
  • End
  • Fail over
  • List information
  • Removal
  • Start
  • Switch
  • Update attributes
*NETCMN
Networking and communications functions are audited. The following are some examples:
  • Network base functions (See *NETBAS)
  • Cluster or cluster resource group operations (See *NETCLU)
  • Network failures (See *NETFAIL)
  • Sockets functions (See *NETSCK)

Note: *NETCMN is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *NETCMN. The following values make up *NETCMN.

  • *NETBAS
  • *NETCLU
  • *NETFAIL
  • *NETSCK
*NETFAIL
Network failures are audited. The following are some examples:
  • Socket port not available
*NETSCK
Sockets tasks are audited. The following are some examples:
  • Accept
  • Connect
  • DHCP address assigned
  • DHCP address not assigned
  • Filtered mail
  • Reject mail
*NOTAVL
The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
*OBJMGT
Generic object tasks are audited. The following are some examples:
  • Moves of objects
  • Renames of objects
*OFCSRV
OfficeVision are audited. The following are some examples:
  • Changes to the system distribution directory
  • Tasks involving electronic mail
*OPTICAL
All optical functions are audited. The following are some examples:
  • Add or remove optical cartridge
  • Change the authorization list used to secure an optical volume
  • Open optical file or directory
  • Create or delete optical directory
  • Change or retrieve optical directory attributes
  • Copy, move, or rename optical file
  • Copy optical directory
  • Back up optical volume
  • Initialize or rename optical volume
  • Convert backup optical volume to a primary volume
  • Save or release held optical file
  • Absolute read of an optical volume
*PGMADP
Adopting authority from a program owner is audited.
*PGMFAIL
Program failures are audited. The following are some examples:
  • Blocked instruction
  • Validation value failure
  • Domain violation
*PRTDTA
Printing functions are audited. The following are some examples:
  • Printing a spooled file
  • Printing with parameter SPOOL(*NO)
*SAVRST
Save and restore information is audited. The following are some examples:
  • When programs that adopt their owner's user profile are restored
  • When job descriptions that contain user names are restored
  • When ownership and authority information changes for objects that are restored
  • When the authority for user profiles is restored
  • When a system state program is restored
  • When a system command is restored
  • When an object is restored
*SECCFG
Security configuration is audited. The following are some examples:
  • Create, change, delete, and restore operations of user profiles
  • Changes to programs (CHGPGM) that will now adopt the owner's profile
  • Changes to system values, environment variables and network attributes
  • Changes to subsystem routing
  • When the QSECOFR password is reset to the shipped value from DST
  • When the password for the service tools security officer user ID is requested to be defaulted.
  • Changes to the auditing attribute of an object
*SECDIRSRV
Changes or updates when doing directory service functions are audited. The following are some examples:
  • Audit change
  • Successful bind
  • Authority change
  • Password change
  • Ownership change
  • Successful unbind
*SECIPC
Changes to interprocess communications are audited. The following are some examples:
  • Ownership or authority of an IPC object changed
  • Create, delete or get of an IPC object
  • Shared memory attach
*SECNAS
Network authentication service actions are audited. The following are some examples:
  • Service ticket valid
  • Service principals do not match
  • Client principals do not match
  • Ticket IP address mismatch
  • Decryption of the ticket failed
  • Decryption of the authenticator failed
  • Realm is not within client and local realms
  • Ticket is a replay attempt
  • Ticket not yet valid
  • Remote or local IP address mismatch
  • Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
  • KRB_AP_PRIV or KRB_AP_SAFE - timestamp error, replay error, sequence order error
  • GSS accept - expired credentials, checksum error, channel bindings
  • GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, sequence error
*SECRUN
Security run time functions are audited. The following are some examples:
  • Changes to object ownership
  • Changes to authorization list or object authority
  • Changes to the primary group of an object
*SECSCKD
Socket descriptors are audited. The following are some examples:
  • A socket descriptor was given to another job
  • Receive descriptor
  • Unable to use descriptor
*SECURITY
All security-related functions are audited.
  • Security configuration (See *SECCFG)
  • Changes or updates when doing directory service functions (See *SECDIRSRV)
  • Changes to interprocess communications (See *SECIPC)
  • Network authentication service actions (See *SECNAS)
  • Security run time functions (See *SECRUN)
  • Socket descriptor (See *SECSCKD)
  • Use of verification functions (See *SECVFY)
  • Changes to validation list objects (See *SECVLDL)

Note: *SECURITY is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *SECURITY. The following values make up *SECURITY.

  • *SECCFG
  • *SECDIRSRV
  • *SECIPC
  • *SECNAS
  • *SECRUN
  • *SECSCKD
  • *SECVFY
  • *SECVLDL
*SECVFY
Use of verification functions are audited. The following are some examples:
  • A target user profile was changed during a pass-through session
  • A profile handle was generated
  • All profile tokens were invalidated
  • Maximum number of profile tokens has been generated
  • A profile token has been generated
  • All profile tokens for a user have been removed
  • User profile authenticated
  • An office user started or ended work on behalf of another user
*SECVLDL
Changes to validation list objects are audited. The following are some examples:
  • Add, change, remove of a validation list entry
  • Find of a validation list entry
  • Successful and unsuccessful verify of a validation list entry
*SERVICE
For a list of all the service commands and API calls that are audited, see the iSeries Security Reference publication.
*SPLFDTA
Spooled file functions are audited. The following are some examples:
  • Create, delete, display, copy, hold, and release a spooled file
  • Get data from a spooled file (QSPGETSP)
  • Change spooled file attributes (CHGSPLFA command)
*SYSMGT
System management tasks are audited. The following are some examples:
  • Hierarchical file system registration
  • Changes for Operational Assistant functions
  • Changes to the system reply list
  • Changes to the DRDA relational database directory
  • Network file operations
Top

Initial journal receiver (INLJRNRCV)

The journal receiver that is created as the initial journal receiver when the security audit journal, QAUDJRN is created. This parameter is ignored if the security audit journal exists.

Qualifier 1: Initial journal receiver

AUDRCV0001
The default value for the initial journal receiver.
name
The name of the journal receiver being created.

Qualifier 2: Library

QGPL
The default library value for the initial journal receiver.
*CURLIB
The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
name
The library where the journal receiver is to be created.
Top

Examples

Example 1:

CHGSECAUD   QAUDCTL(*AUDLVL)  QAUDLVL(*DFTSET)

This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL system value to the default set of values.

Example 2:

CHGSECAUD   QAUDCTL(*AUDLVL) +
            QAUDLVL(*AUTFAIL *CREATE *DELETE +
                    *JOBDTA  *NETBAS *NETFAIL +
                    *OBJMGT  *OPTICAL *PGMADP +
                    *PGMFAIL *PRTDTA *SAVRST +
                    *SECCFG  *SECDIRSRV *SECRUN +
                    *SERVICE *SPLFDTA *SYSMGT)

This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL and QAUDLVL2 system values to the specified values. QAUDLVL system value will contain *AUDLVL2, *AUTFAIL, *CREATE, *DELETE, *JOBDTA, *NETBAS, *NETFAIL, *OBJMGT, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECRUN. QAUDLVL2 system value will contain *SERVICE, *SPLFDTA, *SYSMGT.

Top

Error messages

*ESCAPE Messages

CPFB304
User does not have required special authorities.
Top