System i security report roundup

Rich Loeber

As a security officer, you work hard to develop and maintain policies. You slave to get things set up just right and then put practices in place that will make sure new applications are implemented with security that adheres to your established policies. However, sometimes you have to take the time to go back over old ground to make sure that what you set up is still working and in place.

IBM has implemented a number of tools to help with this process. This tip will discuss two of these: the System Security Attributes report and the Print Private Authorities report.

The System Security Attributes report can be created on your system by running the Print System Security Attr (PRTSYSSECA) command. This will generate a small report that will collect security-related information from the system values and network attributes on your system. The report shows what your current settings are and how they compare to IBM's recommended settings.

... for good measure, see how your settings compare to those that are recommended by IBM.

With this report in hand, you should review all of the system values and network attributes to make sure that they are still set to the value that you expect based on your security policy. Then, for good measure, see how your settings compare to those that are recommended by IBM. For those settings where your implementation is stricter than IBM's recommendation, good for you. For those settings where your implementation is less strict, it would be good for you to review the reasons why you made that decision and document it. One day, a good security audit is going to see this difference and want an explanation.

The Print Private Authorities (PRTPVTAUT) command.prints a series of reports, depending on the object type you want to check. The reports generated can be used to quickly scan to make sure that the proper private authorities are in place. I find that a scan of the report will quickly reveal object authorities that are incongruous within a library. I recently ran this on our in-house system on a library where I am particularly concerned about security and I found several objects that had been changed by an *ALLOBJ user (namely me) in a way that was inconsistent with our security policy. After familiarizing myself with the report, I found that I could scan for specific values to locate anomalies that needed attention.

Using these two tools and others, you can do a complete review of your security implementation to make sure that what you initially set up is what is now in place. When you find situations where changes have been made, take the time to track down how things got changed and then take steps to make sure that it does not happen again. More often than not, I suspect that you will find that the *ALLOBJ authority user profiles on your system are to blame.

Ensuring security on i runbook Spreading the System i security message Becoming a System i security officer Six common System i security lapses Is your AS/400 secure?: How a hacker could get valuable information from your system System i security policy: Time for a check up

If you have any questions about anything included in this tip, you can reach me at rich@kisco.com, All email messages will be answered as quickly as possible.

ABOUT THE AUTHOR: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.

Rate this Tip To rate tips, you must be a member of Search400.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT iSeries security tips Security considerations for IBM i backups Developing a security incident response system for System i Tracking remote access users on System i Setting up security for programmers on IBM i Controlling remote access on your IBM i Checking in on your IBM i authorization lists PCI data security standards and the System i Securing the integrated file system on IBM System i Contextual security on IBM i: Limit user profile access Time for a security checkup for your i Security Tools Tracking remote access users on System i User being locked out by Windows share on iSeries Controlling remote access on your IBM i Checking in on your IBM i authorization lists Expanded password rules available in System i/OS 6.1 How to tell if you're using the right security level Search400.com Products of the Year 2008 Detecting system changes made by outside IP address System values on i: Setting them up and locking i down A guide to System i security, Part 3: Digging in to the System i security environment iSeries system and application security Developing a security incident response system for System i Setting up security for programmers on IBM i Blocking AS/400 DB2 users Trouble accessing IFS path from Win2k3 server Checking in on your IBM i authorization lists Strategies for securing IBM i production files Changing password security levels and upgrading operating systems on the IBM i Determine the value of parameter UPPWEI in the DSPUSRPRF field Define journal code value "K" Modify content within a journal receiver file RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary midrange  (Search400.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.