Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Enviar comentarios | Evaluar esta pgina

Copy Audit Journal Entries (CPYAUDJRNE)

Where allowed to run: All environments (*ALL) Threadsafe: No Parameters Examples Error messages

The Copy Audit Journal Entries (CPYAUDJRNE) command allows you to copy security audit records from the security auditing journal (QAUDJRN) into one or more outfiles. Each audit entry type selected is copied to a separate output file. To view the audit journal entries copied to the output file, you can use the Run Query (RUNQRY) command to display the records with column headings. The combination of CPYAUDJRNE followed by RUNQRY provides function that is similar to the Display Audit Journal Entries (DSPAUDJRNE) command but with the advantages that: All journal entry types are supported. All audit journal entry fields are copied and available. For information on all of the possible audit entries, see Chapter 9 of the Security Reference manual. Restrictions: 1. You must have *AUDIT special authority to use this command. 2. You must have *EXECUTE and *ADD authority to the specified library to create a new output file in that library. 3. You must have *OBJOPR *OBJMGT *ADD *DLT authority to add or update a member in an existing output file. Top

Parameters
Keyword ENTTYP Description Journal entry types Choices Single values: *ALL Other values (up to 73 repetitions): AD, AF, AP, AU, CA, CD, CO, CP, CQ, CU, CV, CY, DI, DO, DS, EV, GR, GS, IM, IP, IS, JD, JS, KF, LD, ML, NA, ND, NE, OM, OR, OW, O1, O2, O3, PA, PG, PO, PS, PW, RA, RJ, RO, RP, RQ, RU, RZ, SD, SE, SF, SG, SK, SM, SO, ST, SV, VA, VC, VF, VL, VN, VO, VP, VR, VS, VU, VV, X0, X1, YC, YR, ZC, ZR Qualified object name Name, QAUDIT Notes Optional, Positional 1

OUTFILE

Output file prefix Qualifier 1: Output file prefix Qualifier 2: Library

Optional

Name, QTEMP, *CURLIB Optional

OUTMBR

Output member Element list options Element 1: Member to receive output Name, *FIRST

1 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Element 2: Replace or add records USRPRF JRNRCV User profile

*REPLACE, *ADD

Name, *ALL

Optional Optional

Journal receiver Single values: *CURRENT, *CURCHAIN searched Other values: Element list Element 1: Qualified object name Starting journal receiver Qualifier 1: Starting journal receiver Qualifier 2: Library Element 2: Ending journal receiver Name

Name, *LIBL, *CURLIB Single values: *CURRENT Other values: Qualified object name

Qualifier 1: Name Ending journal receiver Qualifier 2: Library FROMTIME Starting date and time Element 1: Starting date Element 2: Starting time TOTIME Ending date and time Element 1: Ending date Element 2: Ending time Name, *LIBL, *CURLIB Single values: *FIRST Other values: Element list Date Time Single values: *LAST Other values: Element list Date Time Top Optional Optional

Journal entry types (ENTTYP)

Specifies the journal entry types to be copied to an output file. Single value *ALL All audit record entry types are selected. Entry types (up to 73 repetitions) AF Authorization failure. AD

2 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Auditing changes. AP Obtaining adopted authority. AU Attribute changes. CA Change authority. CD Command string. CO Create object. CP Change user profile. CQ Change of *CRQD object. CU Cluster management operations. CV Connection verification. CY Cryptographic configuration. DI Directory services. DO Delete object. DS DST security password reset. EV Environment variable operations. GR Generic record. GS Socket descriptor was given to another job. IM Intrusion monitor. IP Interprocess communication. IS

3 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Internet security management. JD Change to a user parameter of a job description. JS Actions against jobs entries. KF Key ring file. LD Link, unlink, or lookup directory entry. ML Office services mail actions. NA Network attribute changed. ND Directory search filter violations. NE End point filter violations. OM Object move or rename. OR Object restored. OW Object ownership changed. O1 (Optical access) single file or directory. O2 (Optical access) dual file or directory. O3 (Optical access) volume. PA Program changed to adopt authority. PG Change of an object's primary group. PO Printed output entries. PS Profile swap. PW

4 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Invalid password entries. RA Authority change during restore. RJ Restoring job description with user profile specified. RO Change of object owner during restore. RP Restoring adopted authority program. RQ Restoring a *CRQD object. RU Restoring user profile authority. RZ Changing a primary group during restore. SD Changes to system distribution directory. SE Subsystem routing entry changed. SF Action on spooled files entries. SG Asynchronous signals. SK Secure sockets connections. SM System management changes. SO Server security user information actions. ST Use of service tools. SV System values changed entries. VA Changing an access control list. VC Starting or ending a connection. VF

5 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Closing server files. VL Account limit exceeded. VN Logging on and off the network. VO Validation list actions. VP Network password error. VR Network resource access. VS Starting or ending a server session. VU Changing a network profile. VV Changing service status. X0 Network Authentication. X1 Identity token. YC DLO object changed entries. YR DLO object read entries. ZC Object changed entries. ZR Object read entries. Top

Output file prefix (OUTFILE)

Specifies the prefix for each database file to which the output of the command is directed. If an output file does not exist, this command creates the file in the specified library. If an output file is created by this command, the public authority for the file is set to *EXCLUDE. Qualifier 1: Output file prefix QAUDIT Each output database file name will begin with 'QAUDIT' with the audit entry type appended to form the complete file name. For example, QAUDITZR would be the file name if ENTTYP(ZR) was specified.

6 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

name prefix Specify the first 1 to 8 characters of the name of each database file to which the audit entries will be copied. The audit entry type will be appended to the name prefix to form the complete database file name. For example, if FEB2004 is specified as the name prefix and ENTTYP(AF) is specified, the database file name used is FEB2004AF. Qualifier 2: Library QTEMP The QTEMP library for the job is used to locate the file. *CURLIB The current library for the thread is used to locate the file. If no library is specified as the current library for the thread, the QGPL library is used. name Specify the name of the library to be searched. Top

Output member options (OUTMBR)

Specifies the name of the database file member that receives the output of the command. Element 1: Member to receive output *FIRST The first member in the file receives the output. If OUTMBR(*FIRST) is specified and the file has no members, the system creates a member with the name of the file generated from the Output file prefix (OUTFILE) and Journal entry types (ENTTYP) parameters. If the member already exists, you have the option to add new records to the end of the existing member or clear the member and then add the new records. name Specify the name of the file member that receives the output. If it does not exist, the system creates it. Element 2: Replace or add records *REPLACE The system clears the existing member and adds the new records. *ADD The system adds the new records to the end of the existing records. Top

User profile (USRPRF)

Specifies which user profile's journal entries are to be included in the output files. *ALL The output files will include entries for all user profiles. name Specify the name of the user profile whose journal entries are to be copied to the output files. Top

Journal receiver searched (JRNRCV)

7 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Specifies the starting (first) and ending (last) journal receivers whose journal entries are searched. Note: If the maximum number of receivers (256) in the range is surpassed, an error occurs and no journal entries are copied. Single values *CURRENT Journal entries in the currently attached journal receiver are searched. *CURCHAIN Journal entries in the currently attached journal receiver chain are searched. If there is a break in the chain, the receiver range is from the most recent break in the chain through the receiver that is attached when starting to convert journal entries. Element 1: Starting journal receiver Qualifier 1: Starting journal receiver name Specify the name of the first journal receiver from which entries are searched. Qualifier 2: Library *LIBL The library list is used to locate the journal receiver. *CURLIB The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used. name Specify the name of the library where the journal receiver is located. Element 2: Ending journal receiver Single values *CURRENT The journal receiver that is currently attached is used as the ending journal receiver. Qualifier 1: Ending journal receiver name Specify the name of the last journal receiver from which entries are searched. Qualifier 2: Library *LIBL The library list is used to locate the journal receiver. *CURLIB The current library for the job is used to locate the journal receiver. If no library is specified as the current library for the job, QGPL is used. name Specify the name of the library where the journal receiver is located. Top

Starting date and time (FROMTIME)

Specifies the date and time of the first journal entry to be searched.

8 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Single values *FIRST The search is to begin with the first record in the journal receiver. Element 1: Starting date date Specify the starting date. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched. Element 2: Starting time time Specify the starting time. The starting date and time of the first journal entry occurring at or after the specified starting date and time becomes the starting point for the range of entries to be searched. The time can be specified with or without a time separator: Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds. With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail. Top

Ending date and time (TOTIME)

Specifies the creation date and time of the last journal entry to be searched. Single values *LAST The search is to end with the last record in the journal receiver. Element 1: Ending date date Specify the ending date. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched. Element 2: Ending time time Specify the ending time. The ending date and time of the first journal entry occurring at or before the specified ending time on the specified ending date becomes the ending point for the range of entries to be searched. The time can be specified with or without a time separator: Without a time separator, specify a string of 4 or 6 digits (hhmm or hhmmss) where hh = hours, mm = minutes, and ss = seconds. With a time separator, specify a string of 5 or 8 digits where the time separator specified for your job is used to separate the hours, minutes, and seconds. If you enter this command from the command line, the string must be enclosed in apostrophes. If a time separator other than the separator specified for your job is used, this command will fail.

9 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

Top

Examples
Example 1: Copy Authority Failure (AF) Records CPYAUDJRNE ENTTYP(AF)

This command copies all 'Authority Failure' audit records in the current journal receiver and puts them in member QAUDITAF in database file QTEMP/QAUDITAF. The copied audit records can be displayed by a RUNQRY command, such as: RUNQRY QRY(*NONE) QRYFILE((QTEMP/QAUDITAF))

Example 2: Copy Two Entry Types CPYAUDJRNE ENTTYP(CO DO) OUTFILE(AUDITLIB/SYSTEM1)

This command copies all 'Create Object' and 'Delete Object' audit records in the current journal receiver and puts them in database files AUDITLIB/SYSTEM1CO and AUDITLIB/SYSTEM1DO respectively. The copied audit records can be displayed by RUNQRY commands, such as: RUNQRY RUNQRY QRY(*NONE) QRYFILE((AUDITLIB/SYSTEM1CO)) OUTTYPE(*DISPLAY) OUTFORM(*RUNOPT) QRY(*NONE) QRYFILE((AUDITLIB/SYSTEM1DO)) OUTTYPE(*DISPLAY) OUTFORM(*RUNOPT)

Example 3: Copy All Entry Types CPYAUDJRNE ENTTYP(*ALL) OUTFILE(SAVEAUDIT/JUNE) OUTMBR(SMITHJ *REPLACE) USRPRF(SMITHJ) JRNRCV(*CURCHAIN) FROMTIME('06/01/2004' '00:00:00') TOTIME('07/01/2004' '00:00:00')

This command copies all audit entries for user profile SMITHJ to a set of database files in library SAVEAUDIT that have names like JUNExx where the xx is the audit record entry type. The search for audit records will be performed for all journal receivers in the current chain of journal receivers. Only audit records that were written between midnight on June 01, 2004 and midnight on July 01, 2004 will be copied. Note: This command may run for a very long time. The entire chain of journal receivers will be searched repeatedly for each audit record entry type. Top

Error messages
*ESCAPE Messages CPFB303 Cannot access data from QAUDJRN. CPFB304 User does not have required special authorities. CPFB30A Record format name &2 does not match expected name &1. CPF4AA4 No records copied for some ENTTYP values.

10 de 11

05/05/2011 11:18

Copy Audit Journal Entries (CPYAUDJRNE)

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/cl/cpyaudjr...

CPF9801 Object &2 in library &3 not found. CPF9802 Not authorized to object &2 in &3. CPF9810 Library &1 not found. CPF9820 Not authorized to use library &1. Top

11 de 11

05/05/2011 11:18