A recent article dealing with extracting the journal entries for invalid login attempts helped me tremendously. Now, we need to create, delete, save and restore activity in the journal as follows…
As part of our SOX auditing, we'd like to track program creates, deletes, and restores. I have set QAUDLVL to include *CREATE, *DELETE, *OBJMGT, *SECURITY, *AUTFAIL and *SAVRST.
What journal types and codes should I be filtering on to track the entries? There appears to be a large number of possible options listed in the manual.
Also, is it possible, with the *SAVRST auditing to track what was saved/restored on and from what tape volume(s)? Thank you.
QUESTION POSED ON: 02 MAY 2006
QUESTION ANSWERED BY: Carol Woodbury
To track the creation, deletion, etc., of programs (and I'm guessing service programs), you'd first make a copy of the appropriate model outfile for the entry type you're looking for -- for example, CRTDUPOBJ QASYCOJ5 to get the object creation (CO) entries. Then run DSPJRN to the outfile you've just created. Now you can run a query and filter out everything but creations of object types *PGM and *SRVPGM and produce a report of the results. You'd do the same for DO (deletion of objects) and OR (object restored) entry types.
The only actions audited by specifying *SAVRST in QAUDLVL system value are restore options (no save actions are currently audited). Since the tape volume is not part of the audit journal entry, you cannot use the audit journal to track this information.
|
|
|
