Some folders were deleted and we are trying to find out who deleted them. We used the following:
DSPJRN JRN(QAUDJRN) FROMTIME(103002) ENTTYP(DO) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE1) OUTFILE(QTEMP/TYPE1) ENTDTALEN(*CALC)
By browsing the output file QTEMP/TYPE1 we can see the entry that shows the deleted folder and the documents that were in that folder. The job on the journal entry is identified as "nnnnnn/QUSER/QZLSFILE".
We can go to that job and see what user is being served by that job, but only if the job is active or if the joblog spooled file is still on the system. We normally delete joblog spooled files after a week. We intend to keep the QAUDJRN entries for a year (backed up to tape).
Now to my question..... Is there a way to tie the QAUD journal entry for the NetServer job (QZLSFILE) to a specific user without having the QZLSFILE job joblog? If there is no way to do it, this would be a real security hole in the system. As a system administrator I have *ALLOBJ access. I could map my network drive to a folder with sensitive data, delete it, turn off my PC, delete the relevant QZLSFILE joblog and nobody could ever find what I did. Please tell me it's not true.
You are right. If you couldn't tell the user actually doing the delete that would be a tremendous hole in the system. Fortunately, that's not the case.
I suggest that you create a duplicate object of the model file for the DO entries. That is, CRTDUPOBJ QASYDOJ4. Then do your DSPJRN command. Also, you'll want to use *TYPE4 (QASYDOJ4 is a *TYPE4 file). Not sure what information *TYPE1 gets you, but perhaps that's part of the problem. Using the *TYPE4 model outfile, you should be able to see all of the data items for DO (deleted object) audit entries. As you have discovered, the job user remains QUSER because that's the user the server started up under. You're looking for the user profile name field in the header of the audit entry.
The layout of the model outfile for QASYDOJ4 is documented in Appendix F of the iSeries Security Reference manual.
MORE INFORMATION ON THIS TOPIC
The Best Web Links: Tips, tutorials and more.
Search400.com's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
Read this Search400.com Featured Topic: Secure your iSeries
Dig Deeper on iSeries system and application security
Related Q&A from Carol Woodbury
Before changing password levels and upgrading operating systems on the AS/400, ensure the clients connecting to the NetServer do not need the old ... Continue Reading
Look in the audit journal (QAUDJRN) on the AS/400 for an authority failure message with the name of the library as the object name. Use the ... Continue Reading
On AS/400, the journal type AF subtype K, shows that a user profile lacks the special authority required by the function attempting to run. Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.