bdietz400/BadLogons.sql

## BadLogons.sql
-- category: bryan.dietz
-- description: Look for BADLOGONS

SELECT Entry_Timestamp, current server as System_name
       ,Job_Number CONCAT '/' CONCAT RTRIM(Job_User) CONCAT '/' CONCAT RTRIM(Job_Name) AS Job_Name
       ,RTRIM(Program_Library) CONCAT '/' CONCAT RTRIM(Program_Name) AS Program_Name
       ,RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) AS User_Id
       ,Remote_Address
       ,Remote_Port
       ,CASE RTRIM(CAST(SUBSTR(Entry_Data, 1, 1) AS CHAR(1)))
           WHEN 'A' THEN 'APPC bind failure-(A)'
           WHEN 'C' THEN 'User authentication with CHKPWD failed-(C)'
           WHEN 'D' THEN 'Service tools user ID name not valid-(D)'
           WHEN 'E' THEN 'Service tools user ID password not valid-(E)'
           WHEN 'P' THEN 'Password not valid-(P)'
           WHEN 'Q' THEN 'User profile is disabled-(Q)'
           WHEN 'R' THEN 'User password was expired-(R)'
           WHEN 'S' THEN 'SQL Decryption password is not valid-(S)'
           WHEN 'U' THEN 'User name not valid-(U)'
           WHEN 'X' THEN 'Service tools user ID is disabled-(X)'
           WHEN 'Y' THEN 'Service tools user ID not valid-(Y)'
           WHEN 'Z' THEN 'Service tools user ID password not valid-(Z)'
       END Violation_Type
    FROM TABLE (
            Qsys2.Display_Journal(
                'QSYS','QAUDJRN',
                Starting_Receiver_Name => '*CURAVLCHN', Journal_Entry_Types => 'PW',
                Starting_Timestamp => CURRENT TIMESTAMP - 1 days         -- Time period
            )
        ) I
   -- WHERE RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) = 'User_Name'
        ;
	-- category: bryan.dietz
	-- description: Look for BADLOGONS

	SELECT Entry_Timestamp, current server as System_name
	,Job_Number CONCAT '/' CONCAT RTRIM(Job_User) CONCAT '/' CONCAT RTRIM(Job_Name) AS Job_Name
	,RTRIM(Program_Library) CONCAT '/' CONCAT RTRIM(Program_Name) AS Program_Name
	,RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) AS User_Id
	,Remote_Address
	,Remote_Port
	,CASE RTRIM(CAST(SUBSTR(Entry_Data, 1, 1) AS CHAR(1)))
	WHEN 'A' THEN 'APPC bind failure-(A)'
	WHEN 'C' THEN 'User authentication with CHKPWD failed-(C)'
	WHEN 'D' THEN 'Service tools user ID name not valid-(D)'
	WHEN 'E' THEN 'Service tools user ID password not valid-(E)'
	WHEN 'P' THEN 'Password not valid-(P)'
	WHEN 'Q' THEN 'User profile is disabled-(Q)'
	WHEN 'R' THEN 'User password was expired-(R)'
	WHEN 'S' THEN 'SQL Decryption password is not valid-(S)'
	WHEN 'U' THEN 'User name not valid-(U)'
	WHEN 'X' THEN 'Service tools user ID is disabled-(X)'
	WHEN 'Y' THEN 'Service tools user ID not valid-(Y)'
	WHEN 'Z' THEN 'Service tools user ID password not valid-(Z)'
	END Violation_Type
	FROM TABLE (
	Qsys2.Display_Journal(
	'QSYS','QAUDJRN',
	Starting_Receiver_Name => '*CURAVLCHN', Journal_Entry_Types => 'PW',
	Starting_Timestamp => CURRENT TIMESTAMP - 1 days -- Time period
	)
	) I
	-- WHERE RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) = 'User_Name'
	;