Audit the Security Officer's actions

A security officer or security administrator is responsible for the security on a system. A security officer has *ALLOBJ and *SECADM special authority.

You might want to keep a record of all actions performed by users with *ALLOBJ and *SECADM special authority. You can use the action auditing value in the user profile to perform this task:

For each user with *ALLOBJ and *SECADM special authority, use the CHGUSRAUD command to set the AUDLVL to have all values that are not included in the QAUDLVL or QAUDLVL2 system values on your system. For example, if the QAUDLVL system value is set to *AUTFAIL, *PGMFAIL, *PRTDTA, and *SECURITY, use this command to set the AUDLVL for a security officer user profile:
```
CHGUSRAUD USER((SECUSER)
          AUDLVL(*CMD *CREATE *DELETE +
                 *OBJMGT *OFCSRV *PGMADP +
                 *SAVRST *SERVICE, +
                 *SPLFDTA *SYSMGT)
```
Remove the *AUDIT special authority from user profiles with *ALLOBJ and *SECADM special authority. This prevents these users from changing the auditing characteristics of their own profiles.
Note: You cannot remove special authorities from the QSECOFR profile. Therefore, you cannot prevent a user signed on as QSECOFR from changing the auditing characteristics of that profile. However, if a user signed on as QSECOFR uses the CHGUSRAUD command to change auditing characteristics, an AD entry type is written to the audit journal.
Recommendation: Security officers (users with *ALLOBJ or *SECADM special authority) should use their own profiles for better auditing. The password for the QSECOFR profile should not be distributed.
Make sure the QAUDCTL system value includes *AUDLVL.
Use the DSPJRN command to review the entries in the audit journal.

For more information, see "Analyzing Audit Journal Entries with Query or a Program" in the iSeries™ Security Reference.