Manage Learn to apply best practices and optimize your operations.

Audit journal monitoring of *ALLOBJ profiles

System i security expert Carol Woodbury discusses why QHST is not a reliable source for *ALLOBJ profile monitoring, and explains why the i5/OS audit journal should be used instead.

I've been trying to monitor profiles with *ALLOBJ or above authority using QHST, because QSECOFR has the authority to delete audit logs. Are there any queries or easy methods to audit *ALLOBJ or above profiles besides manually going into QHST daily and searching the spooled report to find users who I know have *ALLOBJ access? This method is not showing accurate information consistently.
QHST is not a reliable source. It can be deleted or cleared. The only reliable source of this type of information is the i5/OS audit journal. While entire receivers can be deleted, individual entries cannot. Even if QSECOFR was to delete an entire receiver, they are in sequence so you could tell if a receiver was missing and go look for the corresponding audit journal entry that documents the deletion.

Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.