How do I generate real-time alerts for command usage? (NETIQKB53846)

Goal: How do I generate real-time alerts for command usage?

Goal: How can I receive notifications when a specific command is used?

To generate real-time alerts for the usage of commands other than the pre-configured SQL and Query commands, you must use the attached source code to create a program that will allow you to register additional command processing programs (CPPs) for monitoring by the PSAudit SQL/QRY Monitor.

To use SQL/QRY Monitor for any command:

1. Save the linked file to the root directory of the local drive (C:\) on your PC.

   https://download.netiq.com/kb/files/NETIQKB53846-SAR0581C.txt

2. Copy the file from the PC to the iSeries using FTP:
   1. Open a new DOS or command window.
   2. Type the following command where servername is the name or IP address of your iSeries server and press Enter.

      FTP servername

   3. Type a user ID at the FTP prompt, and press Enter.
   4. Type the associated password at the FTP prompt, and press Enter.
   5. Type the following commands, pressing Enter after each:

      put c:\SAR0581C.txt  QGPL/QCLSRC.SAR0581C

      quit

3. From the iSeries server command line, type the following commands, pressing Enter after each:

   ADDLIBLE PSCOMMON

   CRTCLPGM QGPL/SAR0581C QGPL/QCLSRC TEXT('Load CPP into SAR0511F') ALWRTVSRC(*NO) AUT(*EXCLUDE) TGTRLS(*CURRENT)

   RMVLIBLE PSCOMMON

   CHGOBJOWN QGPL/SAR0581C *PGM NEWOWN(PSOBJOWN)

   GRTOBJAUT QGPL/SAR0581C *PGM REFOBJ(PSAUDIT/SAR0515C)

4. From PSMENU, select options 1, 1, and 7.
5. Press F10 (Cmd Line).
6. Type CALL QCMDand press Enter.
7. Back up the file containing SQL/QRY CPPs by typing the following command and pressing Enter:

   CPYF FROMFILE(SAR0511F) TOFILE(PSAUDIT/SAR0511F75) MBROPT(*REPLACE) CRTFILE(*YES)

8. Back up the file containing SQL/QRY commands by typing the following command and pressing Enter:

   CPYF FROMFILE(SAR0515F) TOFILE(PSAUDIT/SAR0515F75) MBROPT(*REPLACE) CRTFILE(*YES)

9. Call program to register a command for monitoring. For example, to register command CRTUSRPRF in QSYS:

   CALL PGM(SAR0581C) PARM(CRTUSRPRF QSYS SAR0511F)

   Please note that multiple related commands may use the same CPP. For example, the CRTUSRPRF command uses CPP QSYUP which is also used by CHGUSRPRF command. Similarly, the CHGDTA command uses CPP QDZCMDP which is also used by commands DLTDFUPGM, DSPDTA, and UPDDTA.

10. Press F12 (Cancel) twice to exit the command line and return to the menu.
11. To load the list of commands, select option 28 (Work with SQL/QRY Auditing).
12. Press F7 (Load).
13. In the Run interactively field, type *YES and press Enter.
14. When the list of commands finishes loading, press F5 (Refresh).
15. To activate alerts for a command, select option 28 (Work with SQL/QRY Auditing) and specify option 8 (Start Alert) for the appropriate command.

    The SQL/QRY Monitor subsystem does not need to be active to send alerts. The command usage alerts are sent to PSDetect and can be managed there through alert queue PSDAPI. To forward alerts to a specific msgque instead of to PSDetect, use option 29 (Maintain Audit Alert MSGQ).

16. To activate Auditing for a command, select option 28 (Work with SQL/QRY Auditing) and specify option 2 (Start Audit) for the appropriate command.

    The command usage audit entries are sent to journal QAUDJRN. To report on command usage audit entries, from PSMENU, select options 1, 1, 5, 3, and 9. The SQL/QRY Audit Report will include events for all monitored commands that are being audited by the SQL/QRY Monitor.

17. To register an additional command, repeat steps 9 through 16.

The list of pre-configured commands is limited to SQL and Query. There are many other commands considered sensitive that should be monitored, particularly when used by powerful user profiles.

Formerly known as NETIQKB53846