Appendix A: Raz-Lee Entry Types
In addition to the (Undefined variable: Audit.ProductName) Types provided by IBM, iSecurity (Undefined variable: Audit.ProductName)provides you with additional (Undefined variable: Audit.ProductName)Types to allow you to be more granular in the choice of events you choose to audit.
Raz-Lee Entry Types beginning with "$"
Raz-Lee has defined its own iSecurity-specific “status” entry types in order to provide our customers with even more auditing possibilities than those provided by native IBM OS400 facilities. These entry types are named $A, $B.
As opposed to OS400 entry type records which are written to QAUDJRN as a result of actions which took place in the system, Raz-Lee’s “in-house” audit types provide current status information regarding jobs, objects, libraries, commands, user profiles, authorities, system values, network definitions, etc.
Raz-Lee Entry Types @J, @K, @P, @S
In the area of “system control”, Raz-Lee has added additional entry types @J, @K, @P and @S which monitor system status- high CPU usage, use of disk space, database and system faults and more- as well as active and non-active jobs and pool information.
These entry types can be set and managed via STRAUD> 13.
Raz-Lee Entry Types @0…@9
Also in the area of “system control”, STRAUD > 14 enables controlling, using Option 1, and defining, using Option 11, messages queues named @0 thru @9. These include the special QHST message queue, accessed by command DSPLOG, which is always associated with message queue @9.
Summary of Raz-Lee Entry Types
Raz-Lee has added additional entry types as follows:
- $@- History Log
- A$- All types of QAUDJRN containing Library and Object
- A#- All types of QAUDJRN
- C@- User Profile Changed (After and Previous Images)
The table below provides a list of Entry Types:
|
Audit Type |
Entry Type |
Sub Type |
Description |
|---|---|---|---|
|
*Status |
$@ |
A |
QHST History log. |
|
*Status |
$0 |
A |
Displays Audit statistics from file AUSTTSP |
|
*Status |
$1 |
A |
Displays Firewall statistics from file GSSTTSP |
|
*Status |
$9 |
A |
Intercept any number of spool files that are created by execution of a command or a program. The spool files are assembled into free format text that is handled by the report generator. Using this $9 type the full range of the report generator capabilities are opened for use, including HTML, PDF output. Running on multiple systems, sending by Email and more. |
|
*Status |
$A |
A |
Displays the *BASIC content of a user profile. All parameters as defined in the user profile are displayed |
|
*Status |
$B |
A |
Displays the *OBJOWN objects owned by the user. Object names, object types, and the libraries in which the objects reside. Also indicates if the object is an authority holder. |
|
*Status |
$C |
A |
Displays the *OBJPGP total number of objects this user owns, the object names, the object types, and the libraries in which the objects reside. Also indicates if the object is an authority holder. |
|
*Status |
$D |
A |
Displays the *OBJAUT names of the objects (except those authorized for public use) to which the user has specific authority, the user's authority for those objects, and the object types. |
|
*Status |
$E |
A |
Displays Job schedule entries. |
|
*Status |
$G |
A |
Displays the *GRPMBR members of a group. This display is available only if the displayed user profile is a group profile. |
|
*Status |
$H |
A |
File members description – This type provides reporting of large file members, file members that require reorganization, obtain source members names that were used to create the objects, and more. $H can be run if 1=Fast mode (takes minutes for the entire system), or 2=Standard mode (takes much more). Choose according to your OS level and the type of information you require, as the Standard mode includes more fields. |
|
*Status |
$I |
A |
Displays object descriptions |
|
*Status |
$J |
A |
Displays the *OBJAUT names of the objects (except those authorized for public use) to which the user has specific authority, the user's authority for those objects, and the object types. |
|
*Status |
$K |
A |
Displays Job Descriptions with Excess Authority (JOBD with associated user profile, that *PUBLIC can use). |
|
*Status |
$L |
A |
Displays Library descriptions |
|
*Status |
$M |
A |
Displays the activation schedule of user profiles |
|
*Status |
$N |
A |
Displays the expiration schedule of user profiles |
|
*Status |
$P |
A |
Displays the number of users who have default passwords. The report does not display User names for security reasons. If there are too many users with default passwords, a user with the appropriate security permissions should run the ANZDFTPWD command to check the actual users and take the necessary action to correct the situation. |
|
*Status |
$S |
A |
Displays the SYSVAL names and values of the system values |
|
*Status |
$T |
A |
Displays the DSPNETA the network attributes of the system. |
|
*Status |
$U |
A |
Authorization Lists |
|
*Status |
$V |
A |
Native objects secured by authorization list |
|
*Status |
$W |
A |
IFS objects secured by authorization list |
|
*Status |
$X |
A |
Library information, including size and % of disk space. The execution of a report of this type requires a pre-run of the standard Retrieve Disk Information (RTVDSKINF) Command. Information is then taken from this run. |
| ENTRY TYPE | PROD | TEXT |
|---|---|---|
| $@ | AU | History Log |
| $A | AU | User profile information |
| $A | UP | User profile information |
| $B | AU | Objects that are owned by a user |
| $C | AU | Objects that a user is their primary group |
| $D | AU | Objects for which a user has specific authority |
| $E | AU | Job schedule entries |
| $F | AU | Command attributes |
| $G | AU | Group profile and their users |
| $G | UP | Group profile and their users |
| $H | AU | File members |
| $I | AU | Object description |
| $J | AU | Object authority |
| $K | AU | Job descriptions with user profile & *PUBLIC=*USE |
| $L | AU | Libraries description |
| $M | AU | User profile activation schedule |
| $M | UP | User profile activation schedule |
| $N | AU | User profile expiration schedule |
| $N | UP | User profile expiration schedule |
| $O | AU | Program/Service-Program information |
| $P | AU | Users with default password (Repair by ANZDFTPWD) |
| $P | UP | Users with default password (Repair by ANZDFTPWD) |
| $Q | AU | Programs that adopt authorities |
| $R | AU | IFS Objects |
| $S | AU | System values |
| $T | AU | Network attributes |
| $U | AU | Authorization Lists |
| $V | AU | Native objects secured by authorization list |
| $W | AU | IFS objects secured by authorization list |
| $X | AU | Library information [run RTVDSKINF first] |
| $Y | AU | Modules of Program/Service-Program |
| $0 | AU | Audit Statistics processing |
| $1 | AU | Firewall Statistics processing |
| $3 | AU | Compliance report |
| $8 | AU | Query log report |
| $9 | AU | Interface to any spool file query |
| $9 | FD | Interface to any spool file query |
| $9 | OD | Interface to any spool file query |
| #A | AU | System limits trending |
| #A | KP | System limits trending |
| #C | AU | PTF Groups Installed vs. Available |
| #C | CT | PTF Groups Installed vs. Available |
| #C | KP | PTF Groups Installed vs. Available |
| #G | AU | Group PTF Info |
| #G | CT | Group PTF Info |
| #G | KP | Group PTF Info |
| #H | AU | PTF Info |
| #H | CT | PTF Info |
| #H | KP | PTF Info |
| #K | AU | Netstat information |
| #K | KP | Netstat information |
| #L | AU | NETSTAT interface information |
| #L | KP | NETSTAT interface information |
| #M | AU | NETSTAT routing information |
| #M | KP | NETSTAT routing information |
| #N | AU | NetStat job info |
| #N | KP | NetStat job info |
| #Q | AU | TCP/IP information |
| #Q | KP | TCP/IP information |
| #R | AU | Current server information |
| #R | KP | Current server information |
| #U | AU | System status |
| #U | KP | System status |
| #V | AU | System memory pool information |
| #V | KP | System memory pool information |
| #W | AU | AU Active jobs |
| #X | AU | Disk status |
| #X | KP | Disk status |
| #Y | AU | Output queue information (summary) |
| #Y | KP | Output queue information (summary) |
| #Z | AU | License Information |
| @J | AU | Active job information |
| @K | AU | Job not active |
| @P | AU | Pool not active |
| @S | AU | System status and pool information |
| @0 | AU | Message queue (Group Id 0) |
| @1 | AU | Message queue (Group Id 1) |
| @2 | AU | Message queue (Group Id 2) |
| @3 | AU | Message queue (Group Id 3) |
| @4 | AU | Message queue (Group Id 4) |
| @5 | AU | Message queue (Group Id 5) |
| @6 | AU | Message queue (Group Id 6) |
| @7 | AU | Message queue (Group Id 7) |
| @8 | AU | Message queue (Group Id 8) |
| @9 | AU | QHST messages |
| A$ | AU | All types of QAUDJRN containing Library & Object |
| A# | AU | All types of QAUDJRN |
| AD | AU | Auditing changes |
| AF | AU | Authority failure |
| AP | AU | Obtaining adopted authority |
| AU | AU | Attribute change |
| AX | AU | Row and Column Access Control (RCAC) |
| C@ | AU | User profile changed (After & Previous images) |
| C@ | UP | User profile changed (After & Previous images) |
| CA | AU | Authority changes |
| CD | AU | Command string audit |
| CD | OD | Command string audit |
| CO | AU | Create object |
| CP | AU | User profile changed, created, or restored |
| CP | UP | User profile changed, created, or restored |
| CQ | AU | Change of *CRQD object |
| CU | AU | Cluster operations |
| CV | AU | Connection verification |
| CY | AU | Cryptographic configuration |
| D@ | CM | Command checked |
| DI | AU | Directory services |
| DO | AU | Delete object |
| DS | AU | DST security password reset |
| EV | AU | System environment variables |
| GR | AU | Generic record |
| GS | AU | Socket description was given to another job |
| IM | AU | Intrusion monitor |
| IP | AU | Interprocess communication |
| IR | AU | IP rules actions |
| IS | AU | Internet security management |
| JD | AU | Change to user parameter of a job description |
| JS | AU | Actions that affect jobs |
| KF | AU | Key ring file |
| LD | AU | Link, unlink, or look up directory entry |
| ML | AU | Office services mail actions |
| NA | AU | Network attribute changed |
| ND | AU | APPN directory search filter violation |
| NE | AU | APPN end point filter violation |
| OM | AU | Object move or rename |
| OR | AU | Object restore |
| OW | AU | Object ownership changed |
| O1 | AU | Optical access: Single file or directory |
| O2 | AU | Optical access: Dual file or directory |
| O3 | AU | Optical access: Volume |
| P@ | PR | Password Reset |
| PA | AU | Program changed to adopt authority |
| PF | AU | PTF Operations |
| PG | AU | Change of an object's primary group |
| PO | AU | Printed output |
| PS | AU | Profile swap |
| PU | AU | PTF Object Change |
| PW | AU | Invalid password |
| RA | AU | Authority change during restore |
| RJ | AU | Restoring job description with profile specific |
| RO | AU | Change of object owner during restore |
| RP | AU | Restoring adopted authority program |
| RQ | AU | Restoring a *CRQD object |
| RU | AU | Restoring user profile authority |
| RZ | AU | Changing a primary group during restore |
| SD | AU | Changes to system distribution directory |
| SE | AU | Subsystem routing entry changed |
| SF | AU | Actions to spooled files |
| SG | AU | Asynchronous Signals |
| SK | AU | Secure sockets connections |
| SM | AU | System management changes |
| SO | AU | Server security user information actions |
| ST | AU | Use of service tools |
| SV | AU | System value changed |
| VA | AU | Changing an access control list (rel 4.5-7.1) |
| VC | AU | Starting or ending a connection (rel 4.5-7.1) |
| VF | AU | Closing server files (rel 4.5-7.1) |
| VL | AU | Account limit exceeded (rel 4.5-7.1) |
| VN | AU | Logging on and off the network (rel 4.5-7.1) |
| VO | AU | Validation list actions |
| VP | AU | Network password error |
| VR | AU | Network resource access (rel 4.5-7.1) |
| VS | AU | Starting/ending a server session (rel 4.5-7.1) |
| VU | AU | Changing a network profile (rel 4.5-7.1) |
| VV | AU | Changing service status (rel 4.5-7.1) |
| XD | AU | Directory server extension |
| X0 | AU | Network Authentication |
| X1 | AU | Identity token |
| X2 | AU | Query Manager profile values. |
| YC | AU | DLO object accessed (change) |
| YR | AU | DLO object accessed (read) |
| ZC | AU | Object accessed (change) |
| ZM | AU | SOM method access (no longer used by IBM) |
| ZR | AU | Object accessed (read) |
| 0 | FW | Generic entry type (00-99 for reporting only) |
| 1 | FW | *FILTFR Original File Transfer Function |
| 2 | FW | *FTPLOG FTP Server Logon |
| 3 | FW | *FTPSRV FTP Server-Incoming Rqst Validation |
| 4 | FW | *SQL Database Server - SQL access |
| 5 | FW | *RMTSRV Remote Command/Program Call |
| 6 | FW | *FILSRV File Server |
| 7 | FW | *DDM DDM request access |
| 8 | FW | *TELNET Telnet Device Initialization |
| 9 | FW | *TFTP TFTP Server Request Validation |
| 1K | FD | *FW-DFN Native Object Security |
| 1L | FD | *FW-DFN IFS object security |
| 1M | FD | *FW-DFN Command Exceptions |
| 1N | FD | *FW-DFN Users & Groups |
| 1Y | AU | iSecurity groups members |
| 10 | FW | *REXLOG REXEC Server Logon |
| 11 | FW | *REXEC REXEC Server Request Validation |
| 12 | FW | *RMTSQL Original Remote SQL Server |
| 13 | FW | *NDB Database Server - data base access |
| 14 | FW | *WSG WSG Server Sign-On Validation |
| 15 | FW | *ORDTAQ Original Data Queue Server |
| 16 | FW | *DTAQ Data Queue Server |
| 17 | FW | *MSGSRV Original Message Server |
| 18 | FW | *SQLENT Database Server - entry |
| 19 | FW | *OBJINF Database Server - object information |
| 20 | FW | *VPRT Original Virtual Print Server |
| 21 | FW | *NPRENT Network Print Server - entry |
| 22 | FW | *NPRSPL Network Print Server - spool file |
| 23 | FW | *CHGUP Change User Profile |
| 24 | FW | *CRTUP Create User Profile |
| 25 | FW | *DLTUPA Delete User Profile - after delete |
| 26 | FW | *DLTUPB Delete User Profile |
| 27 | FW | *RSTUP Restore User Profile |
| 28 | FW | *ORLICM Original License Mgmt Server |
| 29 | FW | *CSLICM Central Server - license mgmt |
| 30 | FW | *CSCNVM Central Server - conversion map |
| 31 | FW | *CSCLNM Central Server - client mgmt |
| 32 | FW | *TCPSGN TCP Signon Server |
| 33 | FW | *PWRDWN Prepower Down System |
| 34 | FW | *RMTSGN Remote sign-on (Passthrough) |
| 35 | FW | *PWDVLD Password Dictionary Check / Validation |
| 36 | FW | *DRDA DRDA Distributed Relational DB access |
| 37 | FW | *FTPCLN FTP Client-Outgoing Rqst Validation |
| 38 | FW | *TELOFF Telnet Device Termination |
| 39 | FW | *DHCPAB DHCP Address Binding Notify |
| 40 | FW | *DHCPAR DHCP Address Release Notify |
| 41 | FW | *DHCPRP DHCP Request Packet Validation |
| 42 | FW | *SIGNON Sign-On completed |
| 43 | FW | *PWDCHK Password Dictionary Check / Check |
| 44 | FW | *SSHD SSH Daemon |
| 45 | FW | *DBOPEN Open Database |
| 46 | FW | *PWDVL2 Password Dictionary Check /Validation fmt2 |
| 47 | FW | Socket Accept |
| 48 | FW | Socket Connect |
| 49 | FW | Socket Listen |
| 5A | CT | Tracking Data (Native/IFS/PTF/Source) |
| 5B | CT | ILE Modules Inventory |
| 5D | CT | Definition of IFS Directories |
| 5F | CT | PTF Status |
| 5G | CT | PTF Advanced status (Rel 7.2) |
| 5I | CT | Definition of Activity to Disregard |
| 5J | CT | Definition of Environments |
| 5L | CT | Definition of Libraries to Trace |
| 5M | CT | Definition of Projects |
| 5N | CT | Definition of Tasks |
| 5R | CT | Definition of IFS Directories to Disregard |
| 5W | CT | Tracking Data (Native Objects) |
| 5X | CT | Tracking Data (Source Members) |
| 5Y | CT | Tracking Data (IFS Objects) |
| 5Z | CT | Tracking Data (PTF Objects) |
| 6A | JR | Object Journaling Plan |
| 6B | JR | Object check Journaling Plan |
| 6C | JR | Confirmation tickets |
| 6I | OD | AOD History |
| 6V | AV | Virus, Worm, Trojan, Ransomware detected |
| 6X | PR | Person - Attributes |
| 6Y | PR | Users of a Person |
| 6Z | PR | Log of who changed questions |
| 7E | AC | User Compliance Check |
| 7F | AC | User Compliance Plan |
| 7I | AC | Native Object Compliance Check |
| 7J | AC | Native Object Compliance Plan |
| 7M | AC | IFS Object Compliance Check |
| 7N | AC | IFS Object Compliance Plan |
| 97 | FW | *SCRLCK Screen locked due to timeout |
| 98 | FW | *SCRRLS Screen released |
| 99 | FW | *SCREND Screen jobs ended as timeout passed |