The command strsst chould have *public *exclude on it and only QSYS and QSRV should be authorized to it. If any user was able to access that command they had allobj. Unless they had spcaut *SERVICE, they still would not be able to use strsst to the point of disabling any service profile. You should not have more than three profiles on any system with *allobj or *service and they should have the all user auditing turned on with chgusraud, *cmd, *create, *delete,……..*service, *srvrst, *security…..* in other words mostly everything accept *jobdta, *optical, and *splfdta.
If you have done this and you have the system value qaudctl at QAUDLVL with most of the option listed above esp *service, *security, *cmd then you should have at least one years audit journal receivers on line or backup and be able to dspaudjrn by each user with those special authorities and find the culprit. On a development system you could even fail the 22222222 service pwd again and look for the CPF msg and search by that.
If none of these are available to you because they have not been implemented you are thouroughly scr3w3d and should hire or rent a qualified system administrator to implement minimum standard security on your iSeries before an irate or dumb user or programmer wipes our your system after stealing any sensitive info they care to get.
It can’t be said often enough — if you don’t have auditing enabled, you can’t be sure what happened and you might not even find hints. But assuming that auditing is properly configured and that you have the relevant system audit journal receivers still on your system (or you restored them), a basic procedure could be:<pre>
CRTDUPOBJ OBJ(QASYPWJ5) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
DSPJRN JRN(QAUDJRN) FROMTIME( date time ) JRNCDE((T)) ENTTYP(PW)
OUTPUT(*OUTFILE) OUTFILFMT(*TYPE5) OUTFILE(QTEMP/PW)
RUNQRY QRYFILE((QTEMP/PW))</pre>That assumes a reasonably current version of i5/OS to allow *TYPE5 output. The FROMTIME() can have a starting date and time that you feel is appropriate. You might also need to specify a RCVRNG(), especially if there are any breaks in the chain of receivers after any restore.
The QASYPWJ5 model file will provide the file formatting for the “entry specific data” in the journal entry that will let you find references to a particular profile — 22222222. It will also let you find the ‘violation entry type’ of “X” that will be the disabling event. Related violations will be previous “Z” violations for invalid passwords.
Among the useful entry header fields will be the remote IP address for the source of the attempts. That might be more useful than the user profile that made the attempts since the user might have been compromised. Or it might simply be an element of corroboration. Take care in interpreting anything.
You might also review other entries in a similar time range to see what else the IP address was doing and what else the profile was doing to find inconsistencies.
Be aware that some of the fields will have binary data that might mess up a 5250 display. You can either ignore those as you scroll left/right or up/down, or you can use a more discriminating query request to leave those fields out of the display.