IBMi (AS400) fans only - How to Sniff User Access

By -

If you need to monitor user access on your IBM i system, you can use SQL to query the history log.

Note: At the end of this post, you'll find a request directly addressed to you, the readers.



Here’s a simple example of how you can do this:



message_id IN ('CPF1164', 'CPF1124')



SELECT MESSAGE_ID,
       MESSAGE_TIMESTAMP,
       FROM_USER,
       MESSAGE_TEXT
    FROM TABLE (
            QSYS2.HISTORY_LOG_INFO()
        )
    WHERE message_id IN ('CPF1164', 'CPF1124')
          AND FROM_USER IN ('QSECOFR', 'QSYS', 'QSYSOPR')
    ORDER BY MESSAGE_TIMESTAMP



In this query:

- QSYS2.HISTORY_LOG_INFO(): This function retrieves information from the history log.

-  message_id IN ('CPF1164', 'CPF1124') : Filters the results to include only specific message IDs, which indicate sign-on and sign-off events.

- FROM_USER in ('QSECOFR', 'QSYS', 'QSYSOPR'): Filters the results to include only messages from specific users.



Update 28/07/2024: A Smart Enhancement

Thanks to my reader Greg, we can make an intelligent enhancement to our query. By refining the list of users to those with specific administrative permissions, we ensure more accurate monitoring.



Here’s the improved query:

SELECT MESSAGE_ID,
       MESSAGE_TIMESTAMP,
       FROM_USER,
       MESSAGE_TEXT
    FROM TABLE (
            QSYS2.HISTORY_LOG_INFO()
        )

    WHERE message_id IN ('CPF1164', 'CPF1124')
          AND FROM_USER IN (SELECT user_name
                  FROM QSYS2.USER_INFO_BASIC
                  WHERE POSSTR(special_authorities, '*ALLOBJ') > 0
                        OR POSSTR(special_authorities, '*SECADM') > 0
                        OR POSSTR(special_authorities, '*IOSYSCFG') >0)
    ORDER BY MESSAGE_TIMESTAMP

This adjustment filters the users to only those with the administrative permissions *ALLOBJ, *SECADM, and *IOSYSCFG.
Thank you Greg.


Update 30/07/2024: Another Smart Enhancement (Improved Performance with JOIN)

A reader suggested an enhancement to the original query for better performance. Instead of using the "IN" operator, we can join the tables. This approach has been tested and proven to return results faster. Below is the updated SQL query:


SELECT history.MESSAGE_ID,
       history.MESSAGE_TIMESTAMP,
       history.FROM_USER,
       history.MESSAGE_TEXT

    FROM TABLE (
             QSYS2.HISTORY_LOG_INFO()
         ) history

         JOIN QSYS2.USER_INFO_BASIC usrInf
             ON history.FROM_USER = usrInf.USER_NAME
    WHERE history.MESSAGE_ID IN ('CPF1164', 'CPF1124')
          AND (POSSTR(usrInf.SPECIAL_AUTHORITIES, '*ALLOBJ') > 0
              OR POSSTR(usrInf.SPECIAL_AUTHORITIES, '*SECADM') > 0
              OR POSSTR(usrInf.SPECIAL_AUTHORITIES, '*IOSYSCFG') > 0)
    ORDER BY history.MESSAGE_TIMESTAMP;


This query helps you track the login and logout activities of critical system users.


Try running this on your system and see the results.



Starting from the suggested SQL, you can derive countless pieces of information thanks to the QSYS2.HISTORY_LOG_INFO() function - Utilize it as you see fit.

Monitoring Failed Login Attempts

Another important aspect to monitor is failed login attempts. Use the following SQL statements to create a view and retrieve the users who have unsuccessfully attempted to log in.


Create a View for User Information:


CREATE OR REPLACE VIEW yourLib/USR_LIST
AS SELECT *                          
     FROM QSYS2.USER_INFO;

Retrieve Users with Failed Login Attempts


SELECT *
FROM yourLib/USR_LIST
WHERE SIGN_ON_ATTEMPTS_NOT_VALID > 0
ORDER BY SIGN_ON_ATTEMPTS_NOT_VALID DESC;




SIGN_ON_ATTEMPTS_NOT_VALID

This will list users who have attempted to log in unsuccessfully, ordered by the number of invalid sign-on attempts.



Feel free to comment below if you have any questions or suggestions.

I appreciate all the comments made on this blog.

If any of you readers are aware of a way through the OS400 operating system to 'sniff' or monitor access by users with administrative permissions such as QSECOFR, QSYS, QSYSOPR, QPGMR and could share the solution here, it would be greatly appreciated.




Comments

  1. UnknownJuly 25, 2024 at 5:19 PM

    It's been a long while since I was told this, so I don't remember who told me, but, supposedly, creating your own views on a QSYS2 table is not advised. I dunno if it has to do with the QSYS2 table being replaced when the OS is upgraded? And if the upgrade can't replace it because there is a user view on it, the upgrade fails?

    ReplyDelete
    Replies
    1. Aldo SUCCIJuly 26, 2024 at 2:49 PM

      You are right! To avoid such problems, it is generally recommended to create custom views and tables in QTEMP library, or ensure that you delete custom views and tables after the job is done. This practice helps prevent conflicts during system updates and maintains better control over custom objects.

      Thank you for bringing this up!

      Delete
  2. Greg ThielenJuly 28, 2024 at 6:32 PM

    To qualify the list to users that have "administrative permissions", you can replace your clause AND FROM_USER IN ('QSECOFR', 'QSYS', 'QSYSOPR')
    with
    AND FROM_USER in (
    select user_name
    from USER_INFO_BASIC
    where posstr(special_authorities, '*ALLOBJ') > 0
    or posstr(special_authorities, '*SECADM') > 0
    or posstr(special_authorities, '*IOSYSCFG') > 0
    )

    ReplyDelete
    Replies
    1. Aldo SUCCIJuly 29, 2024 at 10:22 AM

      Hi Greg,

      I have updated my blog post to include your enhancement, ensuring that other readers can benefit from your expertise as well.

      Thanks for your valuable contribution. It is greatly appreciated!

      Delete
  3. Greg ThielenJuly 28, 2024 at 6:36 PM

    In order to select users with "administrative permissions", you can replace the clause
    AND FROM_USER IN ('QSECOFR', 'QSYS', 'QSYSOPR')
    with
    AND FROM_USER IN (
    select user_name
    from USER_INFO_BASIC
    where posstr(special_authorities, '*ALLOBJ') > 0
    or posstr(special_authorities, '*SECADM') > 0
    or posstr(special_authorities, '*IOSYSCFG') > 0
    )

    ReplyDelete
    Replies
    1. Aldo SUCCIJuly 29, 2024 at 10:23 AM

      Hi Greg,

      I have updated my blog post to include your enhancement, ensuring that other readers can benefit from your expertise as well.

      Thanks for your valuable contribution. It is greatly appreciated!

      Delete
  4. AnonymousJuly 30, 2024 at 4:11 PM

    Using an "IN" operating instead of a join will be a performance hit. Trying joining the two tables on the FROM_USER and the associated user_name column in the 2nd table. I think you'll see that it returns much faster.

    ReplyDelete
    Replies
    1. Aldo SUCCIJuly 30, 2024 at 4:36 PM

      Thank you for your insightful suggestion! Implementing a join instead of an "IN" operator has indeed improved the performance of the query significantly.

      I have updated my blog post to include your enhancement, ensuring that other readers can benefit from your expertise as well.

      Your advice is greatly appreciated!

      Delete
  5. M. MayerAugust 26, 2024 at 5:28 PM

    Nice SQL's. I would suggest that wherever the "user_info_basic" line is displayed, it has to be qualified with qsys2 like this "qsys2.user_info_basic". I had to do that to get a couple of these to run.

    ReplyDelete
    Replies
    1. Aldo SUCCIAugust 27, 2024 at 11:12 AM

      Thank you so much for the feedback, M. Mayer! I appreciate your suggestion to qualify the "USER_INFO_BASIC" table with "QSYS2". It's a great point, and I'll be sure to update the SQL examples to reflect this improvement. Your input helps ensure that the queries run smoothly for everyone. Thanks again!

      Delete
  6. M. MayerAugust 26, 2024 at 5:32 PM

    Where "USER_INFO_BASIC" is listed on the SQL's, qualifiy it with QSYS2. "QSYS2.USER_INFO_BASIC"

    ReplyDelete
    Replies
    1. Aldo SUCCIAugust 27, 2024 at 11:12 AM

      Thank you so much for the feedback, M. Mayer! I appreciate your suggestion to qualify the "USER_INFO_BASIC" table with "QSYS2". It's a great point, and I'll be sure to update the SQL examples to reflect this improvement. Your input helps ensure that the queries run smoothly for everyone. Thanks again!

      Delete

Post a Comment

Popular posts from this blog

IBMi (AS400) fans only ' Efficient WRKSPLF with WSF - How to Search string into spooled files, Sort, and Generate PDFs on IBMi

By -
Image
Searching Spooled Files Made Easy: A Unique Solution Managing spooled files efficiently is crucial for users dealing with numerous rows of print data. IBM's WRKSPLF command provides a standard way to interact with spooled files, but it lacks certain features that can significantly enhance user experience. In this article, we'll delve into a powerful functionality that IBM doesn't offer — the ability to search among spooled file lists. Our goal is to highlight the advantages of this capability and introduce a practical solution. The Limitations of Standard WRKSPLF While the WRKSPLF command is a handy tool for working with spooled files, it falls short in certain aspects. One prominent limitation is the inability to search efficiently through the list of spooled file rows. Users often find it challenging to quickly locate specific files based on criteria like creation date, status, or content. Introducing a Unique Solution: WSF (WorkSpooledFiles) To address the limitations of
Read more

IBMi (AS400) fans only ' Detecting and Handling Non-Printable Characters in DB2 SQL Using LOCATE() and REPLACE() Functions

By -
Image
When working with DB2 SQL on the IBMi platform, one of the challenges we might encounter is dealing with non-printable characters in our data. These are characters that don't have a direct representation on a standard keyboard and can cause display programs to crash if not handled properly. For this example, we'll be working with the CLANA00F file, which contains customer data. You can find details on how to create this file on my blog post here . Non-printable characters can sneak into our records for various reasons, and to prevent issues, we can run an SQL query that uses the LOCATE() function. This function returns the position of the first occurrence of a substring within a string, allowing us to detect these problematic characters. Suppose we have a customer name with a non-printable character, specifically the EBCDIC '0D' character, which corresponds to the "Carriage Return" (CR) control character in ASCII. To find this character in our records, we can
Read more