Skip to content

Instantly share code, notes, and snippets.

@bdietz400 bdietz400/BadLogons.sql

Last active Apr 3, 2020
Embed
What would you like to do?
Show BADLOGON attempts
-- category: bryan.dietz
-- description: Look for BADLOGONS
SELECT Entry_Timestamp, current server as System_name
,Job_Number CONCAT '/' CONCAT RTRIM(Job_User) CONCAT '/' CONCAT RTRIM(Job_Name) AS Job_Name
,RTRIM(Program_Library) CONCAT '/' CONCAT RTRIM(Program_Name) AS Program_Name
,RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) AS User_Id
,Remote_Address
,Remote_Port
,CASE RTRIM(CAST(SUBSTR(Entry_Data, 1, 1) AS CHAR(1)))
WHEN 'A' THEN 'APPC bind failure-(A)'
WHEN 'C' THEN 'User authentication with CHKPWD failed-(C)'
WHEN 'D' THEN 'Service tools user ID name not valid-(D)'
WHEN 'E' THEN 'Service tools user ID password not valid-(E)'
WHEN 'P' THEN 'Password not valid-(P)'
WHEN 'Q' THEN 'User profile is disabled-(Q)'
WHEN 'R' THEN 'User password was expired-(R)'
WHEN 'S' THEN 'SQL Decryption password is not valid-(S)'
WHEN 'U' THEN 'User name not valid-(U)'
WHEN 'X' THEN 'Service tools user ID is disabled-(X)'
WHEN 'Y' THEN 'Service tools user ID not valid-(Y)'
WHEN 'Z' THEN 'Service tools user ID password not valid-(Z)'
END Violation_Type
FROM TABLE (
Qsys2.Display_Journal(
'QSYS','QAUDJRN',
Starting_Receiver_Name => '*CURAVLCHN', Journal_Entry_Types => 'PW',
Starting_Timestamp => CURRENT TIMESTAMP - 1 days -- Time period
)
) I
-- WHERE RTRIM(CAST(SUBSTR(Entry_Data, 2, 10) AS VARCHAR(10))) = 'User_Name'
;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.