ibmi-brunch-learn

Announcement

Collapse
No announcement yet.

QAUDJRN and reattaching journal receivers?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • QAUDJRN and reattaching journal receivers?

    We recently migrated to a new machine (820 to 520) and upgraded from V5R1 to V5R3. Auditing was on, QAUDJRN was in QSYS and it journal receivers were in QGPL.

    When we restored to the new machine QAUDJRN wasnt there and was told by the guy who installed that it wouldnt because it was in QSYS. Unfortunately when this guy tells us something it only when we ask and doesnt explain why. So much for transfer of knowledge. Anyway... he told us to create a new one whhich we did and told it to use the last journal receiver in the chain as "the" journal receiver. However it said it couldnt because the journal receiver already contained journal entries.

    Anyone know if this can be done? If so what I might have done wrong?

    It concerns us because if we have a disaster and we have to go to a new machine we want the recover those journals.

  • #2
    Re: QAUDJRN and reattaching journal receivers?

    What IBM says

    Turning on Security Auditing

    If you already have security auditing turned on, you only need to make
    sure QAUDLVL system value contains *PGMFAIL, and QAUDCTL system value
    includes *AUDLVL. If you do not have auditing turned on, the steps
    described in the Security Reference manual, Chapter 9, Auditing Security
    on the AS/400 System, under the section titled "Setting up Security Auditing,"
    are reproduced here:

    To set up security auditing, do the following steps. Setting up auditing
    requires *AUDIT special authority.

    1. Create a journal receiver in a library of your choice by using the
    Create Journal Receiver (CRTJRNRCV) command. This example uses a library
    called JRNLIB for journal receivers.

    PHP Code:
    CRTJRNRCV JRNRCV(JRNLIB/AUDRCV0001) + 
    THRESHOLD(5000AUT(*EXCLUDE) + 
    TEXT('Auditing Journal Receiver'

    Place the journal receiver in a library that is saved regularly.

    Choose a journal receiver name that can be used to create a naming
    convention for future journal receivers, such as AUDRCV0001. You can
    use the *GEN option when you change journal receivers to continue the
    naming convention. Using this type of naming convention is also useful
    if you choose to have the system manage changing your journal receivers.

    Specify a receiver threshold appropriate to your system size and activity.
    The size you choose should be based on the number of transactions on your
    system and the number of actions you choose to audit. If you use system
    change-journal management support, the journal receiver threshold must
    be at least 5,000KB. For more information on journal receiver threshold
    refer to the Backup and Recovery book.

    Specify *EXCLUDE on the AUT parameter to limit access to the information
    stored in the journal.

    2. Create the QSYS/QAUDJRN journal by using the Create Journal (CRTJRN) command:

    PHP Code:
    CRTJRN JRN(QSYS/QAUDJRN) + 
    JRNRCV(JRNLIB/AUDRCV0001) + 
    MNGRCV(*SYSTEMDLTRCV(*NO) + 
    AUT(*EXCLUDETEXT('Auditing Journal'
    The name QSYS/QAUDJRN must be used.

    Specify the name of the journal receiver you created in the
    previous step.

    Specify *EXCLUDE on the AUT parameter to limit access to the information
    stored in the journal. You must have authority to add objects to QSYS to
    create the journal.

    Use the Manage receiver (MNGRCV) parameter to have the system change the
    journal receiver and attach a new one when the attached receiver exceeds
    the threshold specified when the journal receiver was created. If you
    choose this option, you do not have to use the CHGJRN command to detach
    receivers and create and attach new receivers manually.

    Do not have the system delete detached receivers. Specify DLTRCV(*NO),
    which is the default. The QAUDJRN receivers are your security audit trail.
    Ensure that they are adequately saved before deleting them from the system.

    The Backup and Recovery book provides more information about working with
    journals and journal receivers.

    3. Set the audit level (QAUDLVL) system value using the WRKSYSVAL command.
    The QAUDLVL system value determines which actions are logged to the audit
    journal for all users on the system.


    For purposes of auditing in preparation for moving to security level 40,
    the system value QAUDLVL should contain audit value *PGMFAIL. Steps 4 through
    8 do not concern us for this document, but it is suggested that you read the
    whole chapter to be familiar with security auditing.

    9. Start auditing by setting the QAUDCTL system value to a value other
    than *NONE.

    The QSYS/QAUDJRN journal must exist before you can change the QAUDCTL
    system value to a value other than *NONE. When you start auditing, the
    system attempts to write a record to the audit journal. If the attempt
    is not successful, you receive a message and auditing does not start.

    The QAUDCTL system value needs to be set to *AUDLVL to use the *PGMFAIL
    value in the QAUDLVL system value. Once you set that, the system begins
    logging security.

    Reading the Security Journal

    There are several ways to read the security journal. This section will
    describe looking at it interactively. The next section will describe
    creating a report using Query.

    To look at the security journal, use the Display Journal command:

    DSPJRN JRN(QSYS/QAUDJRN) ENTTYP(AF)

    QSYS/QAUDJRN is the security journal, and AF journal types are Authority
    Failure records. *PGMFAIL audit entries are recorded as AF journal entries.
    This command will produce a screen like this:


    Display Journal Entries

    Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS

    Type options, press Enter.
    5=Display entire entry


    Opt Sequence Code Type Object Library Job Time
    _ 222812 T AF QPADEV0161 16:42:31
    _ 222911 T AF QPADEV0009 16:55:00
    _ 222912 T AF QPADEV0009 16:55:00
    _ 223228 T AF QPADEV0009 16:56:34




    F3=Exit F12=Cancel

    This is a list of audit journal entries. Putting a 5 (Display) next
    to the last entry presents the following screen:


    Display Journal Entry

    Object . . . . . . . : Library . . . . . . :
    Member . . . . . . . : Sequence . . . . . . : 223228
    Code . . . . . . . . : T - Audit trail entry
    Type . . . . . . . . : AF - Authority failure

    Entry specific data
    Column *...+....1....+....2....+....3....+....4....+....5
    00001 'DQSPWRKF QSYS *PGM QPADEV0009TROLL '
    00051 '103522QCATRS QSYS TROLL 0000'
    00101 '271 '






    Bottom
    Press Enter to continue.

    F3=Exit F6=Display only entry specific data
    F10=Display only entry details F12=Cancel F24=More keys

    Looking in Appendix F of the Security Reference manual, there is a
    description of the "AF" entry. It says the first character is the type
    of violation, in this case D which means "Use of unsupported interface,
    object Domain failure." The object that was being accessed is next,
    QSPWRKF from library QSYS, a program. Then the job, name QPADEV0009,
    user TROLL, job number 103522. (I know from experience that we do not
    need the rest of the information.) Pressing F10 gives the journal entry
    details, which looks like this:


    Display Journal Entry Details

    Journal . . . . . . : QAUDJRN Library . . . . . . : QSYS
    Sequence . . . . . . : 223228

    Code . . . . . . . . : T - Audit trail entry
    Type . . . . . . . . : AF - Authority failure

    Object . . . . . . . : Library . . . . . . :
    Member . . . . . . . : Flag . . . . . . . . : 0
    Date . . . . . . . . : 08/11/98 Time . . . . . . . . : 16:56:34
    Count/RRN . . . . . : 0 Program . . . . . . : QCMD

    Job . . . . . . . . : 103522/TROLL/QPADEV0009
    User profile . . . . : TROLL Ref Constraint . . . : No
    Commit cycle ID . . : 0 Trigger . . . . . . : No



    Press Enter to continue.

    F3=Exit F10=Display entry F12=Cancel F14=Display previous entry
    F15=Display only entry specific data
    Here, we again see the job, and also the time the journal entry was
    created. If we look for this job, we should see what was happening
    at that time. Get a copy of the job log.

    In this case the job log looks like this.
    (Note: The columns have been compressed to better fit on the paper.)


    Display Spooled File
    File . . . . . : QPJOBLOG Page/Line 1/1
    Control . . . . . ________ Columns 1 - 130
    Find . . . . . . _________________________________________________

    5769SS1 V4R2M0 980228 Job Log RCHASBDS 08/11/98 17:10:19 Page 1
    Job name . . . . . : QPADEV0009 User . . : TROLL Number. . . . : 103522
    Job description . : QDFTJOBD Library . : QGPL

    MSGID TYPE SEV DATE TIME FROM PGM LIBRARY INST TO PGM LIBRARY INST
    CPF1124 Information 00 08/11/98 16:09:27 QWTPIIPP QSYS 059D *EXT *N
    Message . . . . : Job 103544/TROLL/QPADEV0009 started on 08/11/98 at
    16:09:27 in subsystem QINTER in QSYS. Job entered system on 08/11/98
    at 16:09:27.
    *NONE Request 08/11/98 16:09:32 QUICMD QSYS 03EC QUICMD QSYS 03EC
    Message . . . . : -wrkactjob
    *NONE Request 08/11/98 16:09:39 QUICMD QSYS 03EC QUICMD QSYS 03EC
    Message . . . . : -wrksyssts
    *NONE Request 08/11/98 16:19:54 QUICMD QSYS 03EC QUICMD QSYS 03EC
    Message . . . . : -wrksbs
    *NONE Request 08/11/98 16:24:04 QPTCHECK *N QUICMD QSYS 03EC
    Message . . . . : -WRKSBS OUTPUT(*PRINT)
    *NONE Request 08/11/98 16:40:11 QUICMD QSYS 03EC QUICMD QSYS 03EC
    Message . . . . : -ws
    *NONE Request 08/11/98 16:56:34 QUICMD QSYS 03EC QUICMD QSYS 03EC
    More...
    F3=Exit F12=Cancel F19=Left F20=Right F24=More keys
    At the time of the audit record, the user was running command WS. It turns
    out that this is just a duplicate of the WRKSPLF command, created to be
    easier to type. This command was initially created with the command:

    PHP Code:
    CRTDUPOBJ OBJ(WRKSPLFFROMLIB(QSYSOBJTYPE(*CMDTOLIB(QGPLNEWOBJ(WS
    A change to the WS command in the past caused it to lose *SYSTEM state.
    Since the command processing program that this command calls is the
    IBM program QSPWRKF and is a *SYSTEM domain program, the command causes
    the AF audit record to be issued, and would cause the command to fail if
    the system went to security level 40.

    If you check table 2-3 in the Security Reference Manual, this falls
    under the case of an IBM-supplied command that was changed to run a
    different program, then changed back to run the original program.
    (Although WS has a different name, the CRTDUPOBJ command duplicated
    it in such a way that the system considered it an IBM command.)
    If you look at the command (DSPCMD) before such a change you will
    see that the " State used to call program" attribute is set to *SYSTEM.
    After the change the state has changed to *USER. A *user state command
    can't call a system domain object at security level 40.
    All my answers were extracted from the "Big Dummy's Guide to the As400"
    and I take no responsibility for any of them.

    www.code400.com

    Comment

    Working...
    X