System i security report round-up

Rich Loeber

As a security officer, you work hard to develop and maintain policies. You slave to get things set up just right and then put practices in place that will make sure new applications are implemented with security that adheres to your established policies. However, sometimes you have to take the time to go back over old ground to make sure that what you set up is still working and in place.

IBM has implemented a number of tools to help with this process. This tip will discuss two of these: the System Security Attributes report and the Print Private Authorities report.

The System Security Attributes report can be created on your system by running the Print System Security Attr (PRTSYSSECA) command. This will generate a small report that will collect security-related information from the system values and network attributes on your system. The report shows what your current settings are and how they compare to IBM's recommended settings.

... for good measure, see how your settings compare to those that are recommended by IBM.

With this report in hand, you should review all of the system values and network attributes to make sure that they are still set to the value that you expect based on your security policy. Then, for good measure, see how your settings compare to those that are recommended by IBM. For those settings where your implementation is stricter than IBM's recommendation, good for you. For those settings where your implementation is less strict, it would be good for you to review the reasons why you made that decision and document it. One day, a good security audit is going to see this difference and want an explanation.

The Print Private Authorities (PRTPVTAUT) command.prints a series of reports, depending on the object type you want to check. The reports generated can be used to quickly scan to make sure that the proper private authorities are in place. I find that a scan of the report will quickly reveal object authorities that are incongruous within a library. I recently ran this on our in-house system on a library where I am particularly concerned about security and I found several objects that had been changed by an *ALLOBJ user (namely me) in a way that was inconsistent with our security policy. After familiarizing myself with the report, I found that I could scan for specific values to locate anomalies that needed attention.

Using these two tools and others, you can do a complete review of your security implementation to make sure that what you initially set up is what is now in place. When you find situations where changes have been made, take the time to track down how things got changed and then take steps to make sure that it does not happen again. More often than not, I suspect that you will find that the *ALLOBJ authority user profiles on your system are to blame.

Ensuring security on i runbook Spreading the System i security message Becoming a System i security officer Six common System i security lapses Is your AS/400 secure?: How a hacker could get valuable information from your system System i security policy: Time for a check up

If you have any questions about anything included in this tip, you can reach me at rich@kisco.com, All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips A guide to System i security, Part 3: Digging in to the System i security environment Is your AS/400 secure?: How a hacker could get valuable information from your system A guide to System i security, part 2: Landing and establishing access Creating a System i database security policy: Implementation A guide to System i security: Descending into the heart of darkness of IT security Creating a System i database security policy: First steps Enhancements in the intrusion detection system for i5/OS V6R1 Six common System i security lapses Working with exit programs in i5/OS V6 New password-control security features for i5/OS V6R1 Security Tools A guide to System i security, Part 3: Digging in to the System i security environment Encrypting files or fields on the iSeries Is your AS/400 secure?: How a hacker could get valuable information from your system Necessity leads to iSeries Watchdog development Maintaining user profiles boosts iSeries security Learning guide: Steps to a secure System i System i security issues: Application software package 12 security tips in 12 minutes Unsecured devices worry IT professionals Learning guide: Simple steps to a secure iSeries iSeries system and application security A guide to System i security, Part 3: Digging in to the System i security environment Primary group authority: How it works Blocking access to SQL line commands Moving files to new libraries allows access to only groups or users that are authorized Changing telnet ports: A security solution? Moving to security level 30 Menu security's relationship to object authority Encrypting files or fields on the iSeries Changing the QSECOFR password Ensuring security on i runbook RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.