Register

Forgot Password

Site FAQ

Home > IT Answers > AS/400 > iSeries V5R3 Command line access tracking

ATitus

85 pts.

iSeries V5R3 Command line access tracking

AS/400, iSeries, iSeries command line

Is there any way to track who is using the command line and what they are using it for? Want to put certian commands on a menu for our users to get to so I can take away command line access. Hoping there is a way to see who is currently using it and for what. Thanks Ann

Software/Hardware used:

ASKED: December 13, 2007 4:50 PM

UPDATED: March 10, 2010 11:50 AM

RELATED QUESTIONS

Answer Wiki:

Yes. Command Line access is granted at the *USRPRF level on the "Limit Capabilities" (LMTCPB) parameter. The valid values are Yes, No, and Partial. Values "No" and "Partial" grant command line access. (However, just because someone has command line access doen't necessarily give that someone authority to a particular command. ) So if you are *SECOFR or have *ALLOBJ authority you can very easily see who does/does not have Command Line access. What they are using it for is another matter. You could do it - but it isn't an "easy" matter. One "easier" way to track command execution is to examine the interactive job's Job Log. But to do that, you would have to make sure that the job log (*SPLF) got created every time the user signed off. If any of the users have *JOBCTL capabilities, they could foil your attempts to track their activity by changing the own interactive job to not produce a job log or change the level of detail created. At any rate, if you are able to create a job log 100% of the time, you could then write a program to interogate the user's job log to capture the information. That too would not be an "easy" task. But it is do-able. Hopefully this helps. ============================================================ To track command-line usage, you can enable auditing and specify CHGUSRAUD AUDLVL(*CMD) for any users you need to track. Commands from those users will be recorded in the system audit journal along with any other events you have enabled for auditing. Tom

Yes.  Command Line access is granted at the *USRPRF level on the "Limit Capabilities" (LMTCPB) parameter.  The valid values are Yes, No, and Partial.  Values "No" and "Partial" grant command line access.  (However, just because someone has command line access doen't necessarily give that someone authority to a particular command. )  So if you are *SECOFR or have *ALLOBJ authority you can very easily see who does/does not have Command Line access.  What they are using it for is another matter.  You could do it  - but it isn't an "easy" matter.  One "easier" way to track command execution is to examine the interactive job's Job Log.  But to do that, you would have to make sure that the job log (*SPLF) got created every time the user signed off.  If any of the users have *JOBCTL capabilities, they could foil your attempts to track their activity by changing the own interactive job to not produce a job log or change the level of detail created.  At any rate, if you are able to create a job log 100% of the time, you could then write a program to interogate the user's job log to capture the information.  That too would not be an "easy" task.  But it is do-able.  Hopefully this helps.

============================================================

To track command-line usage, you can enable auditing and specify CHGUSRAUD AUDLVL(*CMD) for any users you need to track.

Commands from those users will be recorded in the system audit journal along with any other events you have enabled for auditing.

Tom

Last Wiki Answer Submitted: March 7, 2010 8:29 am by DJA

65 pts.

All Answer Wiki Contributors: DJA

65 pts.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Mar 10, 2010 11:50 AM (GMT)

I have enabled user’s cmd line auditing using the command CHGUSRAUD USRPRF(USERNAME) AUDLVL(*CMD *DELETE *CREATE). When I look at the logs captured, I see that apart from the commands typed by the user at the terminal, the other commands that get fired internally on behalf of the user are also captured. Is there a way to skip capturing the internal commands ?
regards,
Prashant

Prashantmb

10 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags