friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.cl_5.4.0.1/chgsecaud.htm

646 lines
19 KiB
HTML
Raw Blame History

<!doctype html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head><META http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Change Security Auditing (CHGSECAUD)</title>
<link rel="stylesheet" type="text/css" href="../rzahg/ic.css">
</head>
<body bgcolor="white">
<script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<a name="CHGSECAUD.Top_Of_Page"></a>
<h2>Change Security Auditing (CHGSECAUD)</h2>
<table width="100%">
<tr>
<td valign="top" align="left"><b>Where allowed to run: </b>All environments (*ALL)<br>
<b>Threadsafe: </b>No
</td>
<td valign="top" align="right">
<a href="#CHGSECAUD.PARAMETERS.TABLE">Parameters</a><br>
<a href="#CHGSECAUD.COMMAND.EXAMPLES">Examples</a><br>
<a href="#CHGSECAUD.ERROR.MESSAGES">Error messages</a></td>
</tr>
</table>
<div> <a name="CHGSECAUD"></a>
<p>The Change Security Auditing (CHGSECAUD) command allows you to change the current settings for the system values that control what is being audited on the system. If the security audit journal, QAUDJRN, does not exist when the command is issued, the security journal and its initial journal receiver are created by this command.
</p>
<p><b>Restriction:</b> You must have *ALLOBJ and *AUDIT special authorities to use this command.
</p>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div>
<h3><a name="CHGSECAUD.PARAMETERS.TABLE">Parameters</a></h3>
<table border="1" cellpadding="4" cellspacing="0">
<!-- col1="10" col2="15" col3="30" col4="10" -->
<tr>
<th bgcolor="aqua" valign="bottom" align="left">Keyword</th>
<th bgcolor="aqua" valign="bottom" align="left">Description</th>
<th bgcolor="aqua" valign="bottom" align="left">Choices</th>
<th bgcolor="aqua" valign="bottom" align="left">Notes</th>
</tr>
<tr>
<td valign="top"><a href="#CHGSECAUD.QAUDCTL"><b>QAUDCTL</b></a></td>
<td valign="top">QAUDCTL system value</td>
<td valign="top">Single values: <b><u>*SAME</u></b>, *ALL, *NONE<br>Other values (up to 3 repetitions): *OBJAUD, *AUDLVL, *NOQTEMP</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top"><a href="#CHGSECAUD.QAUDLVL"><b>QAUDLVL</b></a></td>
<td valign="top">Auditing values</td>
<td valign="top">Single values: <b><u>*SAME</u></b>, *ALL, *DFTSET, *NONE<br>Other values (up to 115 repetitions): *ATNEVT, *AUTFAIL, *CREATE, *DELETE, *JOBDTA, *NETBAS, *NETCLU, *NETCMN, *NETFAIL, *NETSCK, *OBJMGT, *OFCSRV, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECIPC, *SECNAS, *SECRUN, *SECSCKD, *SECURITY, *SECVFY, *SECVLDL, *SERVICE, *SPLFDTA, *SYSMGT</td>
<td valign="top">Optional</td>
</tr>
<tr>
<td valign="top" rowspan="3"><a href="#CHGSECAUD.INLJRNRCV"><b>INLJRNRCV</b></a></td>
<td valign="top">Initial journal receiver</td>
<td valign="top"><i>Qualified object name</i></td>
<td valign="top" rowspan="3">Optional</td>
</tr>
<tr>
<td valign="top">Qualifier 1: Initial journal receiver</td>
<td valign="top"><i>Name</i>, <b><u>AUDRCV0001</u></b></td>
</tr><tr>
<td valign="top">Qualifier 2: Library</td>
<td valign="top"><i>Name</i>, <b><u>QGPL</u></b>, *CURLIB</td>
</tr></table>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
</div>
<div> <a name="CHGSECAUD.QAUDCTL"></a>
<h3>QAUDCTL system value (QAUDCTL)</h3>
<p>The setting for the system value QAUDCTL.
</p>
<p><b>Single values</b>
</p>
<dl>
<dt><b><u>*SAME</u></b></dt>
<dd>The QAUDCTL system value does not change.
</dd>
<dt><b>*ALL</b></dt>
<dd>The QAUDCTL system value is given the value of *AUDLVL, *OBJAUD, and *NOQTEMP.
</dd>
</dl>
<p><b>Other values (up to 3 repetitions)</b>
</p>
<dl>
<dt><b>*NOTAVL</b></dt>
<dd>The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
</dd>
<dt><b>*NONE</b></dt>
<dd>No security auditing is done on the system. This is the shipped value.
</dd>
<dt><b>*OBJAUD</b></dt>
<dd>Actions against objects that have an object audit value other than *NONE will be audited. An object's audit value is set through the Change Audit (CHGAUD) command or the Change Object Audit (CHGOBJAUD) command.
</dd>
<dt><b>*AUDLVL</b></dt>
<dd>The actions specified in the QAUDLVL and QAUDLVL2 system values will be logged to the security journal. Also actions specified by a user profile's action auditing values will be audited. A user profile's action auditing values are set through the AUDLVL parameter on the Change User Audit (CHGUSRAUD) command.
</dd>
<dt><b>*NOQTEMP</b></dt>
<dd>No auditing of most objects in QTEMP is done. You must specify *NOQTEMP with either *OBJAUD or *AUDLVL. You can not specify *NOQTEMP by itself.
</dd>
</dl>
<p><b>Note:</b>
</p>
<ul>
<li>The QAUDJRN journal must exist in library QSYS in order to change this system value to a value other than *NONE.
</li>
<li>The QAUDJRN journal cannot be deleted or moved from the QSYS library until this system value is changed to *NONE.
</li>
</ul>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHGSECAUD.QAUDLVL"></a>
<h3>Auditing values (QAUDLVL)</h3>
<p>The settings used for the system values QAUDLVL and QAUDLVL2.
</p>
<p>If 16 values or less are specified, then these values will be set in system value QAUDLVL.
</p>
<p>If more than 16 values are specified, then 15 of the specified values are set in system value QAUDLVL along with the value *AUDLVL2. The remaining values are set in system value QAUDLVL2.
</p>
<p><b>Single values</b>
</p>
<dl>
<dt><b><u>*SAME</u></b></dt>
<dd>The system values do not change.
</dd>
<dt><b>*ALL</b></dt>
<dd>All values are selected (except the values that are automatically included. Example - *SECURITY includes *SECCFG so *SECCFG is not added to the system value).
</dd>
<dt><b>*DFTSET</b></dt>
<dd>The system value is given the value of *AUTFAIL, *CREATE, *DELETE, *SECURITY, and *SAVRST.
</dd>
<dt><b>*NONE</b></dt>
<dd>No security action auditing will occur on the system. This is the shipped value.
</dd>
</dl>
<p><b>Other values (up to 115 repetitions)</b>
</p>
<dl>
<dt><b>*ATNEVT</b></dt>
<dd>Attention events are audited. Attention events are conditions that require further evaluation to determine the condition's security significance. The following is an example:
<ul>
<li>Intrusion monitor events need to be examined to determine whether the condition is an intrusion or a false positive
</li>
</ul>
</dd>
<dt><b>*AUTFAIL</b></dt>
<dd>Authorization failures are audited. The following are some examples:
<ul>
<li>All access failures (sign-on, authorization, job submission)
</li>
<li>Incorrect password or user ID entered from a device
</li>
</ul>
</dd>
<dt><b>*CREATE</b></dt>
<dd>All object creations are audited. Objects created into library QTEMP are not audited. The following are some examples:
<ul>
<li>Newly-created objects
</li>
<li>Objects created to replace an existing object
</li>
</ul>
</dd>
<dt><b>*DELETE</b></dt>
<dd>All deletions of external objects on the system are audited. Objects deleted from library QTEMP are not audited.
</dd>
<dt><b>*JOBDTA</b></dt>
<dd>Actions that affect a job are audited. The following are some examples:
<ul>
<li>Job start and stop data
</li>
<li>Hold, release, stop, continue, change, disconnect, end, end abnormal, PSR-attached to prestart job entries
</li>
<li>Changing a thread's active user profile or group profiles
</li>
</ul>
</dd>
<dt><b>*NETBAS</b></dt>
<dd>Network base functions are audited. The following are some examples:
<ul>
<li>IP rules actions
</li>
<li>Sockets connections
</li>
<li>APPN Directory search filter
</li>
<li>APPN end point filter
</li>
</ul>
</dd>
<dt><b>*NETCLU</b></dt>
<dd>Cluster or cluster resource group operations are audited. The following are some examples:
<ul>
<li>Add, create, and delete
</li>
<li>Distribution
</li>
<li>End
</li>
<li>Fail over
</li>
<li>List information
</li>
<li>Removal
</li>
<li>Start
</li>
<li>Switch
</li>
<li>Update attributes
</li>
</ul>
</dd>
<dt><b>*NETCMN</b></dt>
<dd>Networking and communications functions are audited. The following are some examples:
<ul>
<li>Network base functions (See *NETBAS)
</li>
<li>Cluster or cluster resource group operations (See *NETCLU)
</li>
<li>Network failures (See *NETFAIL)
</li>
<li>Sockets functions (See *NETSCK)
</li>
</ul>
<p><b>Note:</b> *NETCMN is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *NETCMN. The following values make up *NETCMN.
</p>
<ul>
<li>*NETBAS
</li>
<li>*NETCLU
</li>
<li>*NETFAIL
</li>
<li>*NETSCK
</li>
</ul>
</dd>
<dt><b>*NETFAIL</b></dt>
<dd>Network failures are audited. The following are some examples:
<ul>
<li>Socket port not available
</li>
</ul>
</dd>
<dt><b>*NETSCK</b></dt>
<dd>Sockets tasks are audited. The following are some examples:
<ul>
<li>Accept
</li>
<li>Connect
</li>
<li>DHCP address assigned
</li>
<li>DHCP address not assigned
</li>
<li>Filtered mail
</li>
<li>Reject mail
</li>
</ul>
</dd>
<dt><b>*NOTAVL</b></dt>
<dd>The user performing the command is not allowed to display the current auditing value. You cannot change the system value to not available (*NOTAVL).
</dd>
<dt><b>*OBJMGT</b></dt>
<dd>Generic object tasks are audited. The following are some examples:
<ul>
<li>Moves of objects
</li>
<li>Renames of objects
</li>
</ul>
</dd>
<dt><b>*OFCSRV</b></dt>
<dd>OfficeVision are audited. The following are some examples:
<ul>
<li>Changes to the system distribution directory
</li>
<li>Tasks involving electronic mail
</li>
</ul>
</dd>
<dt><b>*OPTICAL</b></dt>
<dd>All optical functions are audited. The following are some examples:
<ul>
<li>Add or remove optical cartridge
</li>
<li>Change the authorization list used to secure an optical volume
</li>
<li>Open optical file or directory
</li>
<li>Create or delete optical directory
</li>
<li>Change or retrieve optical directory attributes
</li>
<li>Copy, move, or rename optical file
</li>
<li>Copy optical directory
</li>
<li>Back up optical volume
</li>
<li>Initialize or rename optical volume
</li>
<li>Convert backup optical volume to a primary volume
</li>
<li>Save or release held optical file
</li>
<li>Absolute read of an optical volume
</li>
</ul>
</dd>
<dt><b>*PGMADP</b></dt>
<dd>Adopting authority from a program owner is audited.
</dd>
<dt><b>*PGMFAIL</b></dt>
<dd>Program failures are audited. The following are some examples:
<ul>
<li>Blocked instruction
</li>
<li>Validation value failure
</li>
<li>Domain violation
</li>
</ul>
</dd>
<dt><b>*PRTDTA</b></dt>
<dd>Printing functions are audited. The following are some examples:
<ul>
<li>Printing a spooled file
</li>
<li>Printing with parameter SPOOL(*NO)
</li>
</ul>
</dd>
<dt><b>*SAVRST</b></dt>
<dd>Save and restore information is audited. The following are some examples:
<ul>
<li>When programs that adopt their owner's user profile are restored
</li>
<li>When job descriptions that contain user names are restored
</li>
<li>When ownership and authority information changes for objects that are restored
</li>
<li>When the authority for user profiles is restored
</li>
<li>When a system state program is restored
</li>
<li>When a system command is restored
</li>
<li>When an object is restored
</li>
</ul>
</dd>
<dt><b>*SECCFG</b></dt>
<dd>Security configuration is audited. The following are some examples:
<ul>
<li>Create, change, delete, and restore operations of user profiles
</li>
<li>Changes to programs (CHGPGM) that will now adopt the owner's profile
</li>
<li>Changes to system values, environment variables and network attributes
</li>
<li>Changes to subsystem routing
</li>
<li>When the QSECOFR password is reset to the shipped value from DST
</li>
<li>When the password for the service tools security officer user ID is requested to be defaulted.
</li>
<li>Changes to the auditing attribute of an object
</li>
</ul>
</dd>
<dt><b>*SECDIRSRV</b></dt>
<dd>Changes or updates when doing directory service functions are audited. The following are some examples:
<ul>
<li>Audit change
</li>
<li>Successful bind
</li>
<li>Authority change
</li>
<li>Password change
</li>
<li>Ownership change
</li>
<li>Successful unbind
</li>
</ul>
</dd>
<dt><b>*SECIPC</b></dt>
<dd>Changes to interprocess communications are audited. The following are some examples:
<ul>
<li>Ownership or authority of an IPC object changed
</li>
<li>Create, delete or get of an IPC object
</li>
<li>Shared memory attach
</li>
</ul>
</dd>
<dt><b>*SECNAS</b></dt>
<dd>Network authentication service actions are audited. The following are some examples:
<ul>
<li>Service ticket valid
</li>
<li>Service principals do not match
</li>
<li>Client principals do not match
</li>
<li>Ticket IP address mismatch
</li>
<li>Decryption of the ticket failed
</li>
<li>Decryption of the authenticator failed
</li>
<li>Realm is not within client and local realms
</li>
<li>Ticket is a replay attempt
</li>
<li>Ticket not yet valid
</li>
<li>Remote or local IP address mismatch
</li>
<li>Decrypt of KRB_AP_PRIV or KRB_AP_SAFE checksum error
</li>
<li>KRB_AP_PRIV or KRB_AP_SAFE - timestamp error, replay error, sequence order error
</li>
<li>GSS accept - expired credentials, checksum error, channel bindings
</li>
<li>GSS unwrap or GSS verify - expired context, decrypt/decode, checksum error, sequence error
</li>
</ul>
</dd>
<dt><b>*SECRUN</b></dt>
<dd>Security run time functions are audited. The following are some examples:
<ul>
<li>Changes to object ownership
</li>
<li>Changes to authorization list or object authority
</li>
<li>Changes to the primary group of an object
</li>
</ul>
</dd>
<dt><b>*SECSCKD</b></dt>
<dd>Socket descriptors are audited. The following are some examples:
<ul>
<li>A socket descriptor was given to another job
</li>
<li>Receive descriptor
</li>
<li>Unable to use descriptor
</li>
</ul>
</dd>
<dt><b>*SECURITY</b></dt>
<dd>All security-related functions are audited.
<ul>
<li>Security configuration (See *SECCFG)
</li>
<li>Changes or updates when doing directory service functions (See *SECDIRSRV)
</li>
<li>Changes to interprocess communications (See *SECIPC)
</li>
<li>Network authentication service actions (See *SECNAS)
</li>
<li>Security run time functions (See *SECRUN)
</li>
<li>Socket descriptor (See *SECSCKD)
</li>
<li>Use of verification functions (See *SECVFY)
</li>
<li>Changes to validation list objects (See *SECVLDL)
</li>
</ul>
<p><b>Note:</b> *SECURITY is composed of several values to allow you to better customize your auditing. If you specify all of the values, you will get the same auditing as if you specified *SECURITY. The following values make up *SECURITY.
</p>
<ul>
<li>*SECCFG
</li>
<li>*SECDIRSRV
</li>
<li>*SECIPC
</li>
<li>*SECNAS
</li>
<li>*SECRUN
</li>
<li>*SECSCKD
</li>
<li>*SECVFY
</li>
<li>*SECVLDL
</li>
</ul>
</dd>
<dt><b>*SECVFY</b></dt>
<dd>Use of verification functions are audited. The following are some examples:
<ul>
<li>A target user profile was changed during a pass-through session
</li>
<li>A profile handle was generated
</li>
<li>All profile tokens were invalidated
</li>
<li>Maximum number of profile tokens has been generated
</li>
<li>A profile token has been generated
</li>
<li>All profile tokens for a user have been removed
</li>
<li>User profile authenticated
</li>
<li>An office user started or ended work on behalf of another user
</li>
</ul>
</dd>
<dt><b>*SECVLDL</b></dt>
<dd>Changes to validation list objects are audited. The following are some examples:
<ul>
<li>Add, change, remove of a validation list entry
</li>
<li>Find of a validation list entry
</li>
<li>Successful and unsuccessful verify of a validation list entry
</li>
</ul>
</dd>
<dt><b>*SERVICE</b></dt>
<dd>For a list of all the service commands and API calls that are audited, see the iSeries Security Reference publication.
</dd>
<dt><b>*SPLFDTA</b></dt>
<dd>Spooled file functions are audited. The following are some examples:
<ul>
<li>Create, delete, display, copy, hold, and release a spooled file
</li>
<li>Get data from a spooled file (QSPGETSP)
</li>
<li>Change spooled file attributes (CHGSPLFA command)
</li>
</ul>
</dd>
<dt><b>*SYSMGT</b></dt>
<dd>System management tasks are audited. The following are some examples:
<ul>
<li>Hierarchical file system registration
</li>
<li>Changes for Operational Assistant functions
</li>
<li>Changes to the system reply list
</li>
<li>Changes to the DRDA relational database directory
</li>
<li>Network file operations
</li>
</ul>
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
<div> <a name="CHGSECAUD.INLJRNRCV"></a>
<h3>Initial journal receiver (INLJRNRCV)</h3>
<p>The journal receiver that is created as the initial journal receiver when the security audit journal, QAUDJRN is created. This parameter is ignored if the security audit journal exists.
</p>
<p><b>Qualifier 1: Initial journal receiver</b>
</p>
<dl>
<dt><b><u>AUDRCV0001</u></b></dt>
<dd>The default value for the initial journal receiver.
</dd>
<dt><b><i>name</i></b></dt>
<dd>The name of the journal receiver being created.
</dd>
</dl>
<p><b>Qualifier 2: Library</b>
</p>
<dl>
<dt><b><u>QGPL</u></b></dt>
<dd>The default library value for the initial journal receiver.
</dd>
<dt><b>*CURLIB</b></dt>
<dd>The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used.
</dd>
<dt><b><i>name</i></b></dt>
<dd>The library where the journal receiver is to be created.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div><h3><a name="CHGSECAUD.COMMAND.EXAMPLES">Examples</a> </h3>
<h5>Example 1:</h5>
<p>
<pre>
CHGSECAUD QAUDCTL(*AUDLVL) QAUDLVL(*DFTSET)
</pre>
</p>
<p>This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL system value to the default set of values.
</p>
<h5>Example 2:</h5>
<p>
<pre>
CHGSECAUD QAUDCTL(*AUDLVL) +
QAUDLVL(*AUTFAIL *CREATE *DELETE +
*JOBDTA *NETBAS *NETFAIL +
*OBJMGT *OPTICAL *PGMADP +
*PGMFAIL *PRTDTA *SAVRST +
*SECCFG *SECDIRSRV *SECRUN +
*SERVICE *SPLFDTA *SYSMGT)
</pre>
</p>
<p>This command will activate system security auditing by ensuring the security journal exist, setting the QAUDCTL system value to *AUDLVL, and setting the QAUDLVL and QAUDLVL2 system values to the specified values. QAUDLVL system value will contain *AUDLVL2, *AUTFAIL, *CREATE, *DELETE, *JOBDTA, *NETBAS, *NETFAIL, *OBJMGT, *OPTICAL, *PGMADP, *PGMFAIL, *PRTDTA, *SAVRST, *SECCFG, *SECDIRSRV, *SECRUN. QAUDLVL2 system value will contain *SERVICE, *SPLFDTA, *SYSMGT.
</p>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
<hr size="2" width="100%">
<div><h3><a name="CHGSECAUD.ERROR.MESSAGES">Error messages</a> </h3>
<p><b><u>*ESCAPE Messages</u></b>
</p>
<dl>
<dt><b>CPFB304</b></dt>
<dd>User does not have required special authorities.
</dd>
</dl>
</div>
<table width="100%">
<tr><td align="right"><a href="#CHGSECAUD.Top_Of_Page">Top</a></td></tr>
</table>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink