Who Change the OUTQ on a User Profile

Kim, It is restricted but the packages on the system have their own internal security. When you modify a user set up internal to the products it can in turn modify the user profile. I am trying to find where there may be wholes in the security and plug them. To do this I need to find out who and/or what is changing the output queue option on the User Profile.

Who Change the OUTQ on a User Profile

Glen, Here is a CL program that may help. It is a Retrieve Command exit program that will write the full command to the AUDIT message queue in the QUSRSYS library. To use it you will need to create the message queue and then register the exit program for the command you wish to audit. This will even audit the command when it is used from within a CL program, a menu, or a work with panel. One command you should never register this exit program for is the SNDPGMMSG command. Doing that might cause recursion. From the message on the AUDIT message queue you will be able to determine the job name that used the command and the time. Using a message queue for auditing in inferior to using the security audit journal for several reasons. The biggest reason is that an authorized user can remove individual audit entries from the message queue. One more thing. If you are on a V5R2 or earlier system you may need to change the LEN(32000) to LEN(9999). Doing this will reduce the size of the command that you can audit, but is probably still sufficient for most cases. Note: In case anyone is wondering, when this exit program is registered for the CHGUSRPRF command and someone uses that command to change their password, the password parameter sent to the message queue will look like this: PASSWORD(). I hope this helps. Ed Fishel

---

Code

Who Change the OUTQ on a User Profile

If the program is using an API, you can capture it if you register a program with the Change User Profile Exit Point, QIBM_QSY_CHG_PROFILE. That'll work when the CHGUSRPRF command is used too. Not sure where you'd go from there -- it still doesn't appear to show what is being changed in the profile.

Who Change the OUTQ on a User Profile

This will work fine. It also allows me to learn a little about exit programs. I haven't had the opertunity to get involved with them. Thank you very much

Who Change the OUTQ on a User Profile

I have an interesting task. I need to find out what is changing the outq on our User Profiles. This is a critical issue for us. I've check the Audit Journal but it doesn't show what really was changed. Is there anything in the system that will give me this information. TIA

Who Change the OUTQ on a User Profile

Glen, If you are going use the exit program as written you will need make sure everyone is authorized to send messages to the message queue. There are two ways to do that. The first is to grant *OBJOPR plus *ADD authority to USER(*PUBLIC). A more secure way to do this would be to change the program to adopt its owners authority and have the message queue and program owned by the same user profile. Today I learned that the SNDPGMMSG limits the length of the message to 512 bytes of information. This means that an "audited" CHGUSRPRF command with all parameters specified will be truncated on the message queue. You may be able to learn a little more about exit programs by converting the sample CL program to a C or RPG program and then sending the "audited" command to a file or journal object. This would give you the opportunity to fix the 512 byte limitation. One of the nice things about using C or RPG is that includes are provided so that you do not need to hard code the offsets like I did in CL. Ed Fishel