Q
Manage Learn to apply best practices and optimize your operations.

See who's browsing secret file records

Expert Ken Graap explains to a reader how he can monitor users who view top secret information using the AS/400 RUNQRY command.

Some users use AS/400 RUNQRY command to display top secret
information they are not allowed to display or print.

I looked in our system journals (QAUDJRN) and did not find any information!

How can I record users' activity when they browse the records of a file?

First of all, I believe it would make more sense to secure sensitive data so
it can't be viewed by unauthorized users. However, if you don't want to protect
your data from unauthorized use, you can have the system log who is using it.

Read Access journal entries can be generated and deposited in the
Security Audit Journal (QAUDJRN).

First you will need to turn on Security Auditing.

Read the IBM document on how to do this.

Once Security Auditing has been turned on you are ready to select objects
you want to log access for.

For example, to audit all access to a file named KENNETH/ALLGRPP, I need
to tell the system to record security events for this object.

The CHGOBJAUD command is used to do this.

CHGOBJAUD OBJ(KENNETH/ALLGRPP) OBJTYPE(*FILE) OBJAUD(*ALL)
tells the system to generate Security Audit Journal Entries for any access to this
object.

Now, let's say I use RUNQRY to read this file:

RUNQRY QRY(*NONE) QRYFILE((KENNETH/ALLGRPP))

Since auditing has been turned for this file, the system records this access
event as a journal entry in the QAUDJRN. I can review these Security Journal Audit
Entries. This is a command that will help you do this:

DSPAUDJRNE ENTTYP(ZC) FROMTIME(073107 131220)

The output from this command shows who read file KENNETH/ALLGRPP and
when they did:

                                         
                                         QUERY NAME . . . . . QSECZR                                    
                                         LIBRARY NAME . . . . QSYS                                      
                                         FILE         LIBRARY      MEMBER       FORMAT                  
                                         QASYZRJ4     QTEMP        QASYZRJ4     QASYZRJ4                
                                         DATE . . . . . . . . 07/31/07                                  
                                         TIME . . . . . . . . 13:28:48                                  
07/31/07  13:28:48                                                                         PAGE    1 

   
   User       Object     Library    Object   Job        Job        Job    Timestamp                     
   profile    name       name       type     name       user       number  

                             
ZR KEG        ALLGRPP    KENNETH    *FILE    KENNETH    KEG        000668 2007-07-31-13.22.09.954928


Good luck!

This was last published in August 2007

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close