Important Updates to Cybersecurity Software
HelpSystems is updating the names of our cybersecurity software, including the Powertech product line. Don’t worry—the functionality of your products won’t change.
See the new names here > New, Clearer Names for HelpSystems Security Software.
Compliance Monitor can report on the changes or movement of a file in the IFS directory structure, just like it can track the changes or movements of files in the native library structure.
The first thing that you must verify is that the object auditing system values and the object and user profile are set to audit these changes.
The system values to verify are:
QAUDCTL – This system value must include *OBJAUD in order for the system to detect any object changes. Here is a description of this value:
Actions against objects that have an object audit value other than *NONE will be audited. An object's audit value is set through the Change Audit (CHGAUD) command or the Change Object Audit (CHGOBJAUD) command.
QAUDLVL/QAUDLVL2 – These two system values work together. (QAUDLVL2 is just an extension of QAUDLVL.) These values need to be added to capture the activity on any objects.
*CREATE - All object creations are audited. Objects created into library QTEMP are not audited. The following are some examples:
Objects created to replace an existing object
*DELETE - All deletions of external objects on the system are audited. Objects deleted from library QTEMP are not audited.
*OBJMGT - Generic object tasks are audited. The following are some examples:
Moves of objects
Renames of objects
*SAVRST - Save and restore information is audited. The following are some examples:
When programs that adopt their owner's user profile are restored
When job descriptions that contain user names are restored
When ownership and authority information changes for objects that are restored
When the authority for user profiles is restored
When a system state program is restored
When a system command is restored
When an object is restored
After the system values have been defined, the individual user profile can be set up to be audited or the object itself.
CHGUSRAUD - The CHGUSRAUD (Change User Audit) command allows a user with audit (*AUDIT) special authority to set up or change auditing for a user. The system value QAUDCTL controls turning auditing on and off. The auditing attributes of a user profile can be displayed with the display User Profile (DSPUSRPRF) command.
Note: The changes made by CHGUSRAUD take effect the next time a job is started for this user.
CHGOBJAUD - The Change Object Auditing (CHGOBJAUD) command allows users with *AUDIT special authority to set up or change auditing on an object.
Users with *AUDIT special authority can turn auditing on or off for an object regardless of whether they have authority to the object. The system value QAUDCTL controls turning auditing on and off. The auditing attribute of an object can be displayed with the Display Object Description (DSPOBJD) command.
CHGAUD - The Change Auditing Value (CHGAUD) command sets up or changes auditing on an object or group of objects. An object name pattern can be used to change authority for a group of related objects. The CHGAUD command can also be used to change auditing of a directory tree where the directory, its contents, and the contents of all of its subdirectories are to have auditing changed. If SUBTREE(*ALL) is specified, this command will attempt to change the auditing of all objects within the subtree. A diagnostic message will be sent for each object that could not have its auditing changed and, when all of the objects have been attempted, an escape message will be sent. If all of the objects had auditing changed with no errors, a completion message will be sent.
Note: For IFS file/directories, the CHGAUD command would be used or the CHGUSRAUD for the profile.
Once these have been setup on the System I, the change will be written to the QAUDJRN. Compliance Monitor can now be used to report on this information.
You will be able to track the ‘move’ of an object or the ‘changes’ to the object, even in the IFS .
The type of reports to run in Compliance Monitor to get the moved or changed objects is a ‘Log File’ report.
Select or expand Log File
For Moved Objects – select T:OM (Object Management)
For Change Objects – select T:ZC (Object Changes)
Note: A word of caution on running the changed object report. This will collect information on all of the changes to all of the objects on the system. This could be a long running process depending on the objects that you are auditing.
Still have questions? We can help. Submit a case to Technical Support.