On 27-Nov-2013 13:07 -0800, fbocch2595@xxxxxxx wrote:
I've got 3 entry types that are causing me grief as far as disk
goes... since we have millions of these entries every month. My
question to you is what QAUDLVL generates the entry types LD/ZC/ZR?
I can certainly find the docs on the entry types but no mention of
which QAUDLVL generates them. I don't want to start changing the
QAUDLVL so I figured I'd ask you folks. I think it's *JOBDTA for
ZC/ZR, am I right about that? What about LD?
You could manage the journal environment and backup of receivers to
alleviate the issues with disk storage; to possibly continue logging
those entries.? WRKJRNA QSYS/QAUDJRN to review the settings.
The ZC and ZR have no relation to the *JOBDTA auditing value for
QAUDLVL System Value. Look instead at the *OBJAUD auditing value for
the QAUDCTL SysVal:
<
http://pic.dhe.ibm.com/infocenter/iseries/v7r1m0/topic/rzarl/rzarldspobjaud.htm>
IBM i 7.1 Information Center -> Security -> Security reference ->
Auditing security on System i -> Using the security audit journal ->
Planning security auditing
_i Planning the auditing of object access i_
"The i5/OS <ed: IBM i> operating system provides the ability to log
accesses to an object in the security audit journal by using system
values and the object auditing values for users and objects. This is
called object auditing.
The QAUDCTL system value, the OBJAUD value for an object, and the OBJAUD
value for a user profile work together to control object auditing. The
OBJAUD value for the object and the OBJAUD value for the user who is
using the object determine whether a specific access should be logged.
The QAUDCTL system value starts and stops the object auditing function.
Table 1 shows how the OBJAUD values for the object and the user profile
work together.
Table 1. How object and user auditing work together
+--------------+--------------------------------------------+
| OBJAUD value | _OBJAUD value for user_ |
| _for object_ | *NONE | *CHANGE | *ALL |
+-----------------------------+--------------+--------------+
|*NONE | None | None | None |
|*USRPRF | None | Change | Change + Use |
|*CHANGE | Change | Change | Change |
|*ALL | Change + Use | Change + Use | Change + Use |
+-----------------------------------------------------------+
..."
Therefore...
A T-ZC (Change of Object) audit log entry is logged for an object as
a result of the object being /changed/ *if* the *OBJAUD special value
was included in the QAUDCTL *and* the *ALL or *CHANGE special value was
specified for the Object Auditing Value (OBJAUD) per a prior Change User
Auditing (CHGUSRAUD) request *and* the specific object that was changed
had the special value of either *CHANGE or *ALL specified for the Object
Auditing Value (OBJAUD) via a prior Change Object Auditing (CHGOBJAUD)
request.
A T-ZR (Read of Object) audit log entry is logged for an object as
the result of an effective /read/ access [usage] of the object [for a
command, used either directly or by proxy] *if* the *ALL special value
was specified for the Object Auditing Value (OBJAUD) on the user profile
per a prior Change User Auditing (CHGUSRAUD) request *and* the specific
object that was used\read had the special value *USRPRF specified for
the Object Auditing Value (OBJAUD) per a prior Change Object Auditing
(CHGOBJAUD) request, *or* merely that the specific object that was
used\read had the special value *ALL specified for the Object Auditing
Value (OBJAUD) per a prior Change Object Auditing (CHGOBJAUD) request.
Note: for reference above to CHGOBJAUD, refer also to implicit
settings established from the QCRTOBJAUD system value and the CRTOBJAUD
value for libraries [and directories have similar; DLO have CHGDLOAUD]
midrange.com
