See who's browsing secret file records

Some users use AS/400 RUNQRY command to display top secret
information they are not allowed to display or print.

I looked in our system journals (QAUDJRN) and did not find any information!

How can I record users' activity when they browse the records of a file?

First of all, I believe it would make more sense to secure sensitive data so
it can't be viewed by unauthorized users. However, if you don't want to protect
your data from unauthorized use, you can have the system log who is using it.

Read Access journal entries can be generated and deposited in the
Security Audit Journal (QAUDJRN).

First you will need to turn on Security Auditing.

Read the IBM document on how to do this.

Once Security Auditing has been turned on you are ready to select objects
you want to log access for.

For example, to audit all access to a file named KENNETH/ALLGRPP, I need
to tell the system to record security events for this object.

The CHGOBJAUD command is used to do this.

CHGOBJAUD OBJ(KENNETH/ALLGRPP) OBJTYPE(*FILE) OBJAUD(*ALL)
tells the system to generate Security Audit Journal Entries for any access to this
object.

Now, let's say I use RUNQRY to read this file:

RUNQRY QRY(*NONE) QRYFILE((KENNETH/ALLGRPP))

Since auditing has been turned for this file, the system records this access
event as a journal entry in the QAUDJRN. I can review these Security Journal Audit
Entries. This is a command that will help you do this:

DSPAUDJRNE ENTTYP(ZC) FROMTIME(073107 131220)

The output from this command shows who read file KENNETH/ALLGRPP and
when they did:

                                         
                                         QUERY NAME . . . . . QSECZR                                    
                                         LIBRARY NAME . . . . QSYS                                      
                                         FILE         LIBRARY      MEMBER       FORMAT                  
                                         QASYZRJ4     QTEMP        QASYZRJ4     QASYZRJ4                
                                         DATE . . . . . . . . 07/31/07                                  
                                         TIME . . . . . . . . 13:28:48                                  
07/31/07  13:28:48                                                                         PAGE    1 

   
   User       Object     Library    Object   Job        Job        Job    Timestamp                     
   profile    name       name       type     name       user       number  

                             
ZR KEG        ALLGRPP    KENNETH    *FILE    KENNETH    KEG        000668 2007-07-31-13.22.09.954928

Good luck!

Dig Deeper on iSeries system and application security

Provide authorization in order for a user to start a subsystem within startup routine Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the information provided by the DSPAUDJRNE command to solve the problem.

Detecting copied files on the AS/400 using audit journals Want to know if a user has copied a file from the AS/400? Use QUADJRN and look at ZC and ZR to detect changes and reads of the files.

Who signed on to the production system? One Search400.com member writes, "I want to know who signs on to our production system during non-supported hours and report on this (for SOX reasons).Simply manually scanning through the History log is not enough any longer. How can I automate this and put it on the job scheduler?" Systems management expert RIch Belles offer some help.

How to check for invalid log-on attempts You don't want unauthorized people accessing your iSeries, so it's a good idea to monitor invalid log-on attempts. By doing so you can see who simply mistyped and who had no business trying to log in.

Check for invalid log-on attempts Is there a command I could use to check for invalid log-on attempts. I know I could use DSPLOG for MSGID CPF1393, but is there a way of passing info such as user, device and subsystem to an outfile to query later on?

List of who changed the system date One user writes, "Is there a way we can see the list of all the persons who changed the system date?" Systems management expert Dan Reusche was on hand to offer some advice.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our AS/400 experts

View all AS/400 questions and answers

See who's browsing secret file records

Expert Ken Graap explains to a reader how he can monitor users who view top secret information using the AS/400 RUNQRY command.

Dig Deeper on iSeries system and application security

Related Q&A from Ken Graap

Consolidation across multiple LPARs using BRMS

Options other than RCLSTG to enable file journaling?

Good strategies for iSeries backup

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Refresh your data center cooling lexicon

Comparing Linux distributions: Red Hat vs. Ubuntu

Get eco-friendly with LEED data center certification

Dig Deeper on iSeries system and application security

Related Q&A from Ken Graap

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.