Auditing Password Changes..
Silenus paparias
I wont to Audit if ANY of my users change his password and when.
I have already following steps made.
Information for the command DSPSECAUD are:
Security Auditing Journal Values
Security journal QAUDJRN exists . . . . . : YES
Journal receiver attached to QAUDJRN . . : AUDRCV0001
Library . . . . . . . . . . . . . . . . : SECURITY
Security Auditing System Values
Current QAUDCTL system value . . . . . . : *AUDLVL
Current QAUDLVL system value . . . . . . : *SECURITY
I have change many times my password(iam Qsecofr) to check if auditing
works but i dont see any entry in the Journal.
DSPAUDJRNE gives folowing information.
Position to
line . . . . .
Shift to column . . . . . .
Line ....+....1....+....2....+....3....+....4....+....5....+....
6....+....7....+....8....+....9....+...10....+...11....+...12....
ENTRY USER USRPRF USRPRF PASSWORD PASSWORD
*ALLOBJ *JOBCTL *SAVSYS *SECADM *SPLCTL *SERVICE *AUDIT *IOSYCFG GRO
TYPE PROFILE NAME COMMAND CHANGED EXPIRED SPCAUT SPCAUT
SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT PRO
****** ******** End of report
********
Can someone tell why i dont any Entry in the Journal?
Thanks.
CRPence
>
> I want to Audit if ANY of my users change his password and when.
>
> I have already following steps made.
>
> Information for the command DSPSECAUD are:
>
> Security Auditing Journal Values
> Security journal QAUDJRN exists . . . . . : YES
> Journal receiver attached to QAUDJRN . . : AUDRCV0001
> Library . . . . . . . . . . . . . . . . : SECURITY
> Security Auditing System Values
> Current QAUDCTL system value . . . . . . : *AUDLVL
> Current QAUDLVL system value . . . . . . : *SECURITY
>
> if auditing works but I don't see any entry in the Journal.
>
> DSPAUDJRNE gives folowing information.
>
> <<SNIP empty report>>
>
> Can someone tell why I don't any Entry in the Journal?
>
The DSPAUDJRNE defaults to present only T-AF entries. Prompt the
command with PF4 or type ?DSPAUDJRNE on the command line and press
Enter to see the parameters which allow for selection of which audit
entries the report should include. I believe you will want an
invocation such as:
DSPAUDJRNE ENTTYP(CP) USRPRF(*ALL) JRNRCV(*CURCHAIN) OUTPUT(*)
Regards, Chuck
trans am kid
rules for such and then they have to change them.
chris
Silenus paparias
I have used the cmd DSPAUDJRNE ENTTYP(CP) USRPRF(*ALL) JRNRCV(Security/
audrcv0001) OUTPUT(*)
to display the Journal which is as i mentioned above empty.
If i use the parameter *CURCHAIN the cmd works and works .... goes in
loop.
any suggestions?
Silenus paparias
Seems to work if a password set to expired and the users Change the
password:
Position to
line . . . . .
Shift to column . . . . . .
Line ....+....1....+....2....+....3....+....4....+....5....+....
6....+....7....+....8....+....9....+...10....+...11....+...12....
ENTRY USER USRPRF USRPRF PASSWORD PASSWORD
*ALLOBJ *JOBCTL *SAVSYS *SECADM *SPLCTL *SERVICE *AUDIT *IOSYCFG GRO
TYPE PROFILE NAME COMMAND CHANGED EXPIRED
SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT SPCAUT PRO
000001 CP A DEP899 DEP899 CHG
Y
****** ******** End of report
********
But i dont see the Information what i wont eq.
I need also the DATE and TIME on which was the Password
Changed.
any comments?
Thanks.
CRPence
>
> I have used the cmd DSPAUDJRNE ENTTYP(CP) USRPRF(*ALL)
>
> to display the Journal which is as i mentioned above empty.
>
> If i use the parameter *CURCHAIN the cmd works and works....
> goes in loop.
>
> any suggestions?
>
Search for a PTF for the LOOP symptom for either of DSPAUDJRNE or
DSPJRN when using the *CURCHAIN special value on the JRNRCV or
RCVRNG parameters, respectively.? Or perhaps upgrade to a supported
release :-) Sorry... but I am not going to be of much help there.
Peronally, I would just use the DSPJRN. As I noted the
DSPJRNAUDE command is deprecated in newer releases, so I would see
no benefits in trying to make it functional nor to become proficient
with it.
Regards, Chuck
CRPence
> Update:
>
> Seems to work if a password set to expired and the users Change
> the password:
I noticed that someone suggested in another reply, that T-PW is
the entry to review. I had not posted any addendum to my prior
messages, because I thought I had made it clear that DSPJRN would
assist; i.e. I figured by review of the entries in DSPJRN, the T-PW
would have been found.
Per above, Jonathon Ball wrote in another message:
>> ... entries of code T, types CP, PW and SO and write them to
>> database files. The files are copies of the IBM supplied files
>> QASYCPJE, QASYPWJE and QASYSOJE, respectively.
> <<SNIP T-CP DSPAUDJRNE displayed report>
>
> But i dont see the Information what i wont eq.
>
> I need also the DATE and TIME on which was the Password
> Changed.
>
> any comments?
>
Again, I redirect to DSPJRN. That feature will show the
date\time of the entry. The OUTPUT(*OUTFILE) may also include that
information against which a customized report can be created rather
than using the OS-provided report via DSPAUDJRNE.
However by review of DSPFFD QASYPWJE I see there are PWDATE &
PWTIME which may be included in the *QRYDFN object in QSYS which
implements the OUTPUT() feature of DSPAUDJRNE, that report
definition might includes those columns in the report. Of course I
would have expected the CPDATE & CPTIME columns to appear in the
T-CP report, but the quote text [that was snipped] showing the
report seemed not to have included them. FWiW you could use WRKQRY
[if the 57xxQU1 product is installed] to update the report to
include those columns in the report; although I recommend to make a
backup copy before making changes.
Regards, Chuck