Detecting the use of Sensitive CL Commands

By:

To detect the use of particular CL commands, you must configure your system for object auditing and then turn on auditing for the commands you want to monitor.

To enable object auditing, you include the value *OBJAUD in the QAUDCTL system value to tell the system that you want to audit the use of certain selected objects. Then, use the command CHGOBJAUD (Change Object Auditing) to identify the objects to be audited. The objects you want to audit include the sensitive CL commands.

To view your current auditing configuration, use the command DSPSECAUD(Display Security Auditing).

Once object auditing is enabled, you can tell the system to record every usage of the sensitive commands. A few of the commands I typically want to watch are:

UPDDTA - Use DFU (Data File Utility) to update data using a temporary program
Your choice of EZVIEW, DBU, WRKDBF, or vendor-supplied database editor software
RUNSQLSTM – Run an SQL statement
CRTLIB – Create a library
CHGUSRPRF – Change a user profile
CRTUSRPRF – Create a user profile
STRSST – Start system service tools

You will have your own favorites that are dictated by your application environment.

The command to tell the system to audit every use of the CRTLIB command is:

CHGOBJAUD OBJ(CRTLIB) OBJTYPE(*CMD) OBJAUD(*ALL)

This activates the auditing for the command so that each time the CRTLIB command is used, an audit entry is written to the QAUDJRN journal.

Reporting on Command Usage

You can use the commands DSPJRN, DSPAUDJRNE, or CPYAUDJRNE to extract and report on command usage. The journal entry type for a command string audit is 'CD'.

Each audited command that has been run during the reporting period will be included in the output of these three reporting commands. The entire command string will be listed. If, however, the command was run from within a CL program that was created as LOG(*NO) and ALWRTVCLSRC(*NO), then the entire command string will not be listed--only the CL command and library will be listed. This is a nice safeguard for vendor-supplied CL programs as well as for sensitive CL programs you want to hide the code for.

Here's an example of using the DSPJRN command:

DSPJRN JRN(QAUDJRN) RCVRNG(*CURRENT) JRNCDE((T)) ENTTYP(CD) + OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(MYLIB/CMDAUDIT)

This command will place all CD entries into the output file listed. When you use the DSPJRN command, you will want to parse the data in the Entry Specific Data column to split out the command and related information for reporting.

Here's an example of using the DSPAUDJRNE command:

DSPAUDJRNE ENTTYP(CD) JRNRCV(*CURCHAIN)

This command creates a printed report or display. The DSPAUDJRNE command is no longer being enhanced by IBM, and it can only put the output to a report or to the display screen.

To extract QAUDJRN 'CD' entries, I like the CPYAUDJRNE command.

CPYAUDJRNE ENTTYP(CD) OUTFILE(MYLIB/QAUDIT) JRNRCV(*CURCHAIN)

This command creates an output file named QAUDITCD in library MYLIB. The output file is entry-specific for the CD entries. I then run a simple SQL statement or Query to format the data for presentation.

As a nice feature, one of the fields in the 'CD' audit entry is a Y,N flag that tells you if the command was run from within a CL program. It enables you to easily filter out the commands that were run from within a CL program.