A few years ago, when I passed the age when I thought I might not live forever and started maturing (a little), I decided it would be a good idea to go see my doctor once a year for an annual checkup. It was paid for by insurance and there was just no good reason not to go. That first checkup (after many years of neglect, I might add) turned out OK.
After that first checkup, I got the annual appointment into my schedule and started going faithfully. Then, about 3 years ago, the doctor came back with a different response to my checkup. He saw some things that didn't look right and wanted to schedule some additional tests. To make a long story short, he found a blocked cardiac artery and we were able to deal with it well before the onset of a heart attack.
What, you ask, does this have to do with computer security on your iSeries-AS/400 system? Just this: You need to do a full system checkup at least once a year just to see if there are any surprises lurking. I have done dozens of these checkups over the years and I ALWAYS find something that needs attention. If you're responsible for system security, you need to do this, and the end of the year is a good time to be thinking about it. Nobody gets much work done during the last couple weeks of the year and it's a good time to go tinkering around in your system.
What should you include in your checkup? Here's a list of things to start with. It is by no means comprehensive but will get you started and lead you into the areas where you need to be concerned:
- Check the security settings in your system values using the Print System Security Attributes [PRTSYSSECA] command and reconcile differences on your system from the recommended settings.
- List the user profiles on your system and check for employees who have left the company or changed their job assignment.
- Create a database of your user profiles using the DSPUSRPRF command with the *OUTFILE option, then run a series of QRY/400 reports to search for expired passwords, profiles with *ALLOBJ authority, and so on as appropriate for your installation.
- Run the Security Wizard in the iSeries Navigator and check for any differences between your system and the suggested recommendations.
- Using the user profile database already created, list your user profiles by group to make sure that the groups are set up as you expect to see them.
- Create a database of all *FILE objects on your system using the DSPOBJD command with the *OUTFILE option. Then, using QRY/400, generate a report of new files created since your last audit and make sure security on those new objects complies with established policies.
- Run the Analyze Default Passwords [ANZDFTPWD] command to make sure no default passwords exist on your system.
- Check *FILE objects on your system with *PUBLIC access authority using the Print Publicly Auth Objects [PRTPUBAUT] command. Make sure the objects with public access all comply with established policies.
- Go to the SECTOOLS menu and see if any of the options available can be of specific help to your audit efforts.
- Review your backup process and offsite storage arrangements. Do a physical inspection of the offsite location and make sure you can quickly and easily identify and retrieve backup sets.
This is not a comprehensive list but it will get you started on the audit process. As you go through it, document both what you are doing and your findings. That way, when next year rolls around, you'll be better prepared for the process and you'll have a baseline to compare your results with. Good luck, and I hope you don't find any clogged arteries!
If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, N.Y. The company is a provider of various security products for the Series market.
