| | | | |

Moving from QSECURITY Level 30 to 40- Moving to a Higher Security Level

At security level 40, the operating system prevents certain actions from being taken. Examples include calling an operating system program directly, accessing an internal control block, and using a job description that names a user profile in which the caller doesn’t have authority to the named profile. The good news is that, while not prevented at security level 20 or 30, these actions are logged into the audit journal as AF (authority failure) entries. This allows us to determine whether there are any issues prior to going to level 40. If you like to live on the wild side, you can most certainly move QSECURITY to 40 and IPL without doing any investigation! But should you run into issues, it’s a hard stop. In other words, your program will fail with a function check, and there’s no getting around the error. You must fix it to continue—that, or IPL back to level 30. I prefer to be a bit more cautious, especially when it comes to production systems, so I always check the audit journal prior to the IPL.

Audit to Determine Whether There Are Issues Prior to Moving to Level 40

Determining whether there are issues that need to be resolved prior to going to level 40 is quite easy. It’s a matter of adding *AUTFAIL and *PGMFAIL to the QAUDLVL system value and making sure *AUDLVL has been specified in QAUDCTL. Then it’s simply a matter of looking for AF audit journal entries. But not all AF entries. Believe it or not, we don’t care if there are AF subtype A entries. Those failures indicate someone didn’t have authority to an object. Nor do we care about AF subtype K entries. Those failures indicate the profile attempting an action didn’t have the required special authority. For this investigation, we are only interested in the subtypes that are specific to level 40. (The subtype is the first character of the entry-specific part of the AF audit journal entry.) The subtypes we need to look for are C, D, J, R, and S. All of these indicate actions that will cause a failure at level 40.

Examining the audit journal for these entries isn’t hard. If you’re using Copy Audit Journal Entries (CPYAUDJRNE), your commands will look like this:

But I prefer a more modern approach. AF is one of the types provided as an SQL table function, so I recommend that you open up ACS, click on Run SQL Scripts, and run this:

Note that I’ve included two fields that are not available when using the CPYAUDJRNE method: qualified_job_name and violation_type_detail. I find the latter to be very useful when explaining these entries to my clients. I think you’ll find them useful too. See Figure 3.1.

Figure 3.1: Some fields are available using the SQL table but not CPYAUDJRNE.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *