Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Q: We are currently using OS/400 auditing and would like to include some of our own audit data in the audit journal. When one of our applications attempts to send an audit entry to the audit journal using the Send Journal Entry (SNDJRNE) command, the application receives a not authorized message. The *PUBLIC authority to the audit journal (QAUDJRN) is *EXCLUDE. When I tried to change the authority to the QAUDJRN, the Grant Object Authority (GRTOBJAUT) command returns message CPF2211, "Not able to allocate object QAUDJRN...." How can I change the authority to the audit journal?

A: To prevent deletion of the audit journal (QAUDJRN), the QSYSARB process of OS/400 allocates the QAUDJRN any time auditing is active. This lock also prevents you from changing the authority to the audit journal. You can stop auditing for a short period while you change the authority to the QAUDJRN and then restart auditing. Auditing can be terminated by changing the system value QAUDCTL to *NONE.

Here are the commands you'll need to run:

 1. DSPSYSVAL SYSVAL(QAUDCTL) 

(Record your current settings so that you can reapply them in step 4.)

 2. CHGSYSVAL SYSVAL(QAUDCTL) + VALUE(*NONE) 3. EDTOBJAUT OBJ(QAUDJRN) + OBJTYPE(*JRN) 

(Use this display to change the *PUBLIC authority to QAUDJRN.)

 4. CHGSYSVAL SYSVAL(QAUDCTL) + VALUE 

(Use the values recorded in step 1.)

Q: There are a number of user profiles on our AS/400 that are inactive, and several appear never to have been used. Before we move to V3R1, I would like to clean up the inactive user profiles. Do you have any recommended steps to find the inactive user profiles?

A:If your system does not have many user profiles, it may be possible to contact the individual users. The users who do not respond are candidates for deletion. However, this is a very time-consuming task. When you have more than 200 user profiles, for example, you may want to use some automated method to find the inactive user profiles.

There are several dates that are useful in locating unused user profiles. The two commands that will give you access to those dates are the following:

 DSPUSRPRF USRPRF(*ALL) + OUTPUT(*OUTFILE) + OUTFILE(USRPRF) DSPOBJD OBJ(QSYS/*ALL) + OBJTYPE(*USRPRF) + OUTPUT(*OUTFILE) + OUTFILE(OBJD) 

Query or SQL can be used to join the two files on user profile name and produce a list of candidate profiles to delete.

The last sign-on date and date last-used are useful to select the user profiles that have not been used for an extended period. The date-created can be used to prevent deletion of user profiles that have recently been created but not used. You may also want to eliminate user profiles that are group profiles or do not have a password.

The use of last-used and last sign-on date is not foolproof. When a user profile is used to send and receive distributions?using the Send Network File (SNDNETF) command, for example?OS/400 does not update the user profile's last-used date.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  •  

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: