7/27/2019 Who Removed My Registered Exit Program

1/3

System iNetwork Head NavSubscribe Log In Contact Us AdvertiseUser loginUsername: *Password: *

Request new passwordSearch

Primary linksForums Archives Code Blogs Podcasts Webcasts e-Learning Guides Newsletters AboutUs Contact Us About the Network Tech Editor Profiles Editorial Calendar WritersKit Advertise Join Network

CategoriesRPG ProgrammingOther LanguagesApplication DevelopmentDatabase/SQLAvailabilitySecurity

Systems ManagementNetworkingIT Mgmt/CareersSite LinksSolutionsStoreEventsUK CentreJobs

System iPortal Home ContentWho Removed My Registered Exit Program?Article ID: 57586Posted December 17th, 2008 in Systems ManagementBy:Dan RiehlI have heard the question many times: "Who removed my exit program?" Or, "Wheredid my REXEC and MSF registered exit points go?"

If you have created the QAUDJRN journal and have set the related System Values correctly, you have an audit trail of all changes that have been made to your exit point registry. There are two auditing methods you can use to collect information about exit point registry changes. You can use Object Auditing and/or EventAuditing. In this case, I think you will find that Event Auditing is the preferr

ed method, especially if you are using a high availability solution in which most objects are audited. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I recommend.

Auditing the ObjectThe exit Point registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is *EXITRG.

In order to start auditing the object, you first need to ensure that the QAUDCTLsystem value includes the value *OBJAUD. You can then start auditing changes to

7/27/2019 Who Removed My Registered Exit Program

2/3

the registry object using the following command:

CHGOBJAUD OBJ(QUSRSYS/QUSEXRGOBJ) OBJTYPE(*EXITRG) OBJAUD(*CHANGE)When someone changes the registry, a ZC (Object Changed) journal entry is written to QAUDJRN,indicating that the QUSEXRGOBJ object was changed. Additional information provided in the ZC journal entry includes information such as User Name, Current UserName, Job Name, Program used, Date, Time, etc.

The operations that are audited for the QUSEXRGOBJ object are

ADDEXITPGM Add Exit Program CL CommandQUSADDEP Add Exit Program APIQusAddExitProgram Add Exit Program APIQUSDRGPT Unregister Exit Point APIQusDeregisterExitPoint Unregister Exit Point APIQUSRGPT Register Exit Point APIQusRegisterExitPoint Register Exit Point APIQUSRMVEP Remove Exit Program APIQusRemoveExitProgram Remove Exit Program APIRMVEXITPGM Remove Exit Program CL CommandWRKREGINF Work with Registration InformationCL Command To reviewall ZC entries, you can use your favorite QAUDJRN reporting method. In 5.4, IBMprovides the command CPYAUDJRNE(Copy Audit Journal Entries), which is pretty good. And here's the command you can use to extract the ZC entries into a formatted

output file:

CPYAUDJRNE ENTTYP(ZC) OUTFILE(MYLIB/QAUDIT)This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. So, to list the ZC entries, you can use the command:

RUNQRY *N MYLIB/QAUDITZCAuditing a change to the Exit Point RegistryTo audit security configuration events, like a change to the Exit Point Registry, set the system value QAUDCTL to include the value *AUDLVL, and include the value *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value.

If this is done and someone or some process manipulates the Exit Point Registry,a journal entry is written to the QAUDJRN journal receiver. The journal entry t

ype is GR (Generic Record). As of 6.1, all GR entries are related to the Exit Point Registry.

You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file:

CPYAUDJRNE ENTTYP(GR) OUTFILE(MYLIB/QAUDIT)This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type, so to list the GR entries, you can use

RUNQRY *N MYLIB/QAUDITGRThe information provided includes the function performed, User Name, Current User Name, Job Name, Program Used, Date, Time, etc.

Bookmark/Search this post with:Login to post comments Email this page Printer-friendly version Related

Links*SAVSYS Special Authority Are You at Risk?The Keys to Tape EncryptionKiller Club TechBounce Back: Resilient Business ComputingEncryption Enhancements: Now Playing in V5R4

ProVIP Sponsors

7/27/2019 Who Removed My Registered Exit Program

3/3

ProVIP Sponsors

Featured LinksSponsored LinksFooter Site LinksHome Subscribe Now Advertise Contact Us Feedback Terms & Conditions Trademarks Privacy Policy Copyright Penton Media