Nothing supports the popularity of the iSeries-AS/400 machine as much as the number of customers with multiple systems installed. For security officers, it can easily mean a lot of extra work keeping each system configured and setup for company security policies.
While this can be a complex task, IBM has provided a little known capability in OS/400 for quite a while now that can help you to enforce standard security configuration setup rules across separate systems. This is through the use of the CFGSYSSEC (Configure System Security) command. This command, which has no parameters, calls a CL program named QSECCFGS in the QSYS library. This program sets about 25 security-related system values to standard settings recommended by IBM.
The good news for the security officer with multiple systems to control is that this CL program can be changed to meet your unique setup requirements. The base program as shipped with OS/400 can be retrieved and then modified for your unique needs (not unlike the way the system startup program QSTRUPPGM works).
To retrieve the CL program, just run the following command on your system:
RTVCLSRC PGM(QSYS/QSECCFGS) SRCFILE(mylib/QCLSRC)
This will place a source member in your QCLSRC source physical file named QSECCFGS. To be on the safe side, you should probably rename this, and, when you recompile it, place the new compiled program into QUSRSYS. Once that is done, just change the OS/400 CFGSYSSEC command to run the modified program from QUSRSYS with the following command:
CHGCMD CMD(QSYS/CFGSYSSEC) PGM(QUSRSYS/myseccfgs)
When you review the CL program source that has been retrieved, there is some housekeeping that takes place early in the program, but then you will find a program tag named SKIPUIM:. You can review the settings imposed by the program from this point forward to see how IBM recommends your security be setup and make changes that will implement standard security settings for your own requirements.
To implement the standard security setup across your multiple system environment, simply install your custom setup program on each system in your network and modify the CFGSYSSEC command on each system to call your modified program in place of the IBM default program. To guard against possible changes being made to the setup, you can even add this to your automatic schedule to run on a weekly or even daily basis to keep these settings enforced. The retrieve CL program is a little tough to read, but perseverance will prevail. I have taken the program from my V4R5 test machine here and updated it with comments to make it easier to see what is going on. If you'd like a copy of this annotated version of the CL program, just drop me a line at "email@example.com" and I'll send you a copy of the source code.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the AS/400 market.
MORE INFORMATION ON THIS TOPIC
Secure your iSeries
The iSeries is one of the most secure systems, but there are still ways for data to be compromised -- network holes and users with too much authority, for example. The information in this Search400 Featured Topic helps you close up any gaps you may have.
Error message after OS/400 upgrade
One user writes, "After installing the OS/400 upgrade from V4R5 to V5R1 I'm getting the message: User quser not authorized to object qtemp/zrcrpcspc type *usrspv. This message is on our audit log. I'd like to know how to stop it." Search400.com security expert Carol Woodbury offers some advice.
Unique user profiles critical to OS/400 security
Auditing success requires that you are able to identify system actions and accesses down to the individual object and user level, and OS/400 is very successful at tracking system activity and maintaining the proper audit trail for both users and objects. The level of success for gathering and reporting this information depends greatly on whether the user data or user naming convention bears meaning. If user profiles are not traceable to a specific individual because they are, then it's going to be more difficult to get the required information.
Consolidating several clients on a single iSeries
One Search400.com member writes, "We have an administration system that is outsourced with a vendor. Currently, it is hosted on its own iSeries, which is connected to our network. We have 5250, FTP and ODBC access. Our vendor is looking to consolidate several clients on a single machine. He has indicated that he will achieve this by putting each client into a separate subsystem. From an application and network perspective, would this approach provide adequate security and privacy? If not, what would you recommend?" Site expert Carol Woodbury was on hand to help him out.