Q
Manage Learn to apply best practices and optimize your operations.

Track down who deleted folders in the root file system

Some folders were deleted and we are trying to find out who deleted them. We used the following:

DSPJRN JRN(QAUDJRN) FROMTIME(103002) ENTTYP(DO) OUTPUT(*OUTFILE) OUTFILFMT(*TYPE1) OUTFILE(QTEMP/TYPE1) ENTDTALEN(*CALC)

By browsing the output file QTEMP/TYPE1 we can see the entry that shows the deleted folder and the documents that were in that folder. The job on the journal entry is identified as "nnnnnn/QUSER/QZLSFILE".

We can go to that job and see what user is being served by that job, but only if the job is active or if the joblog spooled file is still on the system. We normally delete joblog spooled files after a week. We intend to keep the QAUDJRN entries for a year (backed up to tape).

Now to my question..... Is there a way to tie the QAUD journal entry for the NetServer job (QZLSFILE) to a specific user without having the QZLSFILE job joblog? If there is no way to do it, this would be a real security hole in the system. As a system administrator I have *ALLOBJ access. I could map my network drive to a folder with sensitive data, delete it, turn off my PC, delete the relevant QZLSFILE joblog and nobody could ever find what I did. Please tell me it's not true.


You are right. If you couldn't tell the user actually doing the delete that would be a tremendous hole in the system. Fortunately, that's not the case.

I suggest that you create a duplicate object of the model file for the DO entries. That is, CRTDUPOBJ QASYDOJ4. Then do your DSPJRN command. Also, you'll want to use *TYPE4 (QASYDOJ4 is a *TYPE4 file). Not sure what information *TYPE1 gets you, but perhaps that's part of the problem. Using the *TYPE4 model outfile, you should be able to see all of the data items for DO (deleted object) audit entries. As you have discovered, the job user remains QUSER because that's the user the server started up under. You're looking for the user profile name field in the header of the audit entry.

The layout of the model outfile for QASYDOJ4 is documented in Appendix F of the iSeries Security Reference manual.

==================================
MORE INFORMATION ON THIS TOPIC
==================================

The Best Web Links: Tips, tutorials and more.

Search400.com's targeted search engine: Get relevant information on security.

Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.

Read this Search400.com Featured Topic: Secure your iSeries


This was last published in November 2002

Dig Deeper on iSeries system and application security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close