An annual system security checkup for the AS/400 is recommended, and the holiday season is a good time of year to get it done. Rich Loeber provides a series of steps you should take to ensure that your IBM i is secure as you head into the new year. (This tip has been updated from a previous version published here in 2004).
A few years ago, when I started maturing (a little), I decided that it would be a good idea to go see my doctor once a year for an annual checkup. It was paid for by insurance and there was just no good reason not to go. That first checkup (after many years of neglect, I might add) turned out OK. The doctor told me a few things that I already knew (loose weight, get more exercise) and generally thought that I was doing OK.
After that initial checkup, I worked the annual appointment into my schedule and started going faithfully. Then, about six years ago, the doctor at our new home in the mountains of northern New York came back with a different response to my checkup. He saw some things that didn't look right and wanted to schedule some tests. To make a long story short, he found a blocked cardiac artery and we were able to deal with it well before the onset of a heart attack.
What, you ask, does this have to do with computer security on your IBM System i? Just this: You need to do a full system security checkup at least once a year just to see if there are any surprises. I have done dozens of these checkups over the years on systems under my responsibility and I always find something that needs attention. If you're responsible for system security, you need to do this, and year-end is a good time to be thinking about it. Nobody gets much work done during the last couple of weeks of the year and it's a good time to go tinkering around in your system.
So, what should you include in your checkup? Here's a list of things to start with. It is by no means comprehensive but will probably get you started and lead you into the areas where you need to be concerned:
- Check the security settings in your system values using the Print System Security Attributes [PRTSYSSECA] command and reconcile differences on your system from the recommended settings. Alternatively, you can run the Security Wizard in the iSeries Navigator and check for differences on your system from the recommendations suggested.
- List the user profiles on your system and check for employees who have left or changed their job assignment.
- Create a database of your user profiles using the DSPUSRPRF command with the *OUTFILE option, then run a series of query reports to search for expired passwords, profiles with *ALLOBJ authority, and so on as appropriate for your installation.
- For all user profiles that have *ALLOBJ authority, run the PRTADPOBJ (Print Adopting Objects) command to see what objects on your system adopt the all object authority for each. See if you find any surprises and make a good case for each situation you find. Don't leave out the QSECOFR profile.
- Using the user profile database already created, list your user profiles by group to make sure that the groups are set up as you expect to see them.
- Create a database of all *FILE objects on your system using the DSPOBJD command with the *OUTFILE option. Then generate a query report of new files created since your last audit and make sure that security on these new objects complies with established policies.
- Run the Analyze Default Passwords [ANZDFTPWD] command to make sure that no default passwords exist on your system.
- Check *FILE objects on your system with *PUBLIC access authority using the Print Publicly Auth Objects [PRTPUBAUT] command. Make sure that the objects with public access all comply with established policies.
- Using the WRKAUTL (Work with Authorization Lists) command, identify all of the user authorization lists on your system and make sure that the users registered to each list are what you would expect to find.
- Go to the SECTOOLS menu and see if any of the options available can be of specific help to your audit efforts.
- Review your backup process and offsite storage arrangements. Do a physical inspection of the offsite location and make sure you can quickly and easily identify and retrieve backup sets.
Due to space constraints, this is not a comprehensive list but is intended to get you started on the audit process. As you go through it, document both what you are doing and your findings. That way, when next year end rolls around, you'll be better prepared for the process and you'll have a baseline to compare your results with. Good luck, and I hope you don't find any clogged arteries!
If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All email messages will be answered. If you have items on your annual checkup list that I've left out, let me know so I can add them to my list too.
ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc., in Saranac Lake, N.Y. The company is a provider of various security products for the Series market.
