Promevo view user email activity audit3/24/2023 If you want to know every time there's an authority failure on the system, you add *AUTFAIL to the QAUDLVL system value. If you decide that you want to audit and be able to report every time an object is created or deleted on the system, you add *CREATE and *DELETE to the system value QAUDLVL. The events that can be audited are described by a combination of the allowable values for the system values QAUDLVL and QAUDLVL2, and the allowable values for the AUDLVL attribute of each user profile. If you want to be able to track each time a new library is created on the system or every time a file is deleted, it likewise affects your auditing configuration. If you don't care whether someone moves a spooled file report from one output queue to another, or if you don't care when a program adopts authority, it affects your choices when configuring auditing. When you want to be able to audit and report on the activities of a particular user, you must first decide which events you're interested in collecting. Having said that, let me also say that you can audit and report on the activities of any user, regardless of the user's power or ability to navigate the system. Powerful IT users and other users with command-line access have the freedom to navigate the system outside of the constraints of a menu system that would otherwise confine their activities to those allowed by their menu options. Usually, we want to report on the activities of our powerful users such as QSECOFR and system administrator users. In this article, the focus is on reporting on the activities performed by a user. The system values QAUDCTL and QAUDLVL must be set for your desired level of auditing, and the QAUDJRN journal must have been created on your system.Įvery security-related event that occurs on your system is tied to a particular user. In order to begin reporting on security related activities, you must first configure your system to perform the auditing functions you need. I encourage you to review the previous article in this series (" Auditing CL Command Usage" from the Issue of the SecureMyi Security Newsletter), which discusses the basics of auditing and reporting from the system security audit journal QAUDJRN. As examples, I examine how to audit and report on every time QSECOFR changes a system value, and I also discuss how to audit and report on every occurrence in which any user deletes any object. ![]() ![]() I discuss how to audit and report on various activities performed by a particular user, and I also show how to audit and report on security-related events caused by all users. ![]() In this second installment of the series dealing with forensic analysis by using the QAUDJRN journal, the focus is on the forensic analysis of user activity. Security and Systems Management Newsletter for the IBM i
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |