System iNetwork Head Nav Subscribe Log In Contact Us Advertise User login Username: * Password: * Request new password

Search Primary links Forums Archives Code Blogs Podcasts Webcasts e-Learning Guides Newsletters About Us Contact Us About the Network Tech Editor Profiles Editorial Calendar Writers Kit Advertise Join Network Categories RPG Programming Other Languages Application Development Database/SQL Availability Security Systems Management Networking IT Mgmt/Careers Site Links Solutions Store Events UK Centre Jobs System iPortal Home Content Who Removed My Registered Exit Program? Article ID: 57586Posted December 17th, 2008 in Systems Management By:Dan Riehl I have heard the question many times: "Who removed my exit program?" Or, "Where did my REXEC and MSF registered exit points go?" If you have created the QAUDJRN journal and have set the related System Values c orrectly, you have an audit trail of all changes that have been made to your exi t point registry. There are two auditing methods you can use to collect informat ion about exit point registry changes. You can use Object Auditing and/or Event Auditing. In this case, I think you will find that Event Auditing is the preferr ed method, especially if you are using a high availability solution in which mos t objects are audited. But, I'll present both methods and you can choose which o ne you like. You may prefer to use both, which is what I recommend. Auditing the Object The exit Point registry is stored in the object QUSEXRGOBJ in library QUSRSYS. T he object type is *EXITRG. In order to start auditing the object, you first need to ensure that the QAUDCTL system value includes the value *OBJAUD. You can then start auditing changes to

the registry object using the following command: CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(*EXITRG) OBJAUD(*CHANGE)When someone c hanges the registry, a ZC (Object Changed) journal entry is written to QAUDJRN, indicating that the QUSEXRGOBJ object was changed. Additional information provid ed in the ZC journal entry includes information such as User Name, Current User Name, Job Name, Program used, Date, Time, etc. The operations that are audited for the QUSEXRGOBJ object are ADDEXITPGM Add Exit Program CL Command QUSADDEP Add Exit Program API QusAddExitProgram Add Exit Program API QUSDRGPT Unregister Exit Point API QusDeregisterExitPoint Unregister Exit Point API QUSRGPT Register Exit Point API QusRegisterExitPoint Register Exit Point API QUSRMVEP Remove Exit Program API QusRemoveExitProgram Remove Exit Program API RMVEXITPGM Remove Exit Program CL Command WRKREGINF Work with Registration InformationCL Command To review all ZC entries, you can use your favorite QAUDJRN reporting method. In 5.4, IBM provides the command CPYAUDJRNE(Copy Audit Journal Entries), which is pretty goo d. And here's the command you can use to extract the ZC entries into a formatted output file: CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT)This will create a file QAUDITZC in l ibrary MYLIB. The columns in the output file are specific to the ZC journal entr y type. So, to list the ZC entries, you can use the command: RUNQRY *N MYLIB/QAUDITZCAuditing a change to the Exit Point Registry To audit security configuration events, like a change to the Exit Point Registry , set the system value QAUDCTL to include the value *AUDLVL, and include the val ue *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value. If this is done and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal receiver. The journal entry t ype is GR (Generic Record). As of 6.1, all GR entries are related to the Exit Po int Registry. You can review the GR entries just like the ZC entries. Here's the command you c an use to extract the GR entries into a formatted output file: CPYAUDJRNE ENTTYP(GR) OUTFILE(MYLIB/QAUDIT)This will create a file QAUDITGR in l ibrary MYLIB. The columns in the output file are specific to the GR journal entr y type, so to list the GR entries, you can use RUNQRY *N MYLIB/QAUDITGRThe information provided includes the function performed , User Name, Current User Name, Job Name, Program Used, Date, Time, etc. Bookmark/Search this post with: Login to post comments Email this page Printer-friendly version Related Links *SAVSYS Special Authority Are You at Risk? The Keys to Tape Encryption Killer Club Tech Bounce Back: Resilient Business Computing Encryption Enhancements: Now Playing in V5R4 ProVIP Sponsors

ProVIP Sponsors Featured LinksSponsored Links Footer Site Links Home Subscribe Now Advertise Contact Us Feedback Terms & Conditions Trademarks P rivacy Policy Copyright Penton Media