CONTENTS
1. AUDIT PROGRAM
2. APPENDIX A: AS/400 CL (CONTROL LANGUAGE) PROGRAM
3. APPENDIX B: SYSTEM PARAMETERS
4. APPENDIX C: USER PROFILES
5. APPENDIX D: SPECIAL AUTHORITIES
6. APPENDIX E: SECURITY ROLES & RESPONSIBILITIES
7. APPENDIX F: OTHER SECURITY ISSUES
AUDIT PROGRAM
Note: The values and parameters can be obtained by running the AS/400 CL (Control Language) Program in Appendix A. A listing of System Parameters is in Appendix B.
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |
| Audit Completion Checklist | Y/N | |||
| · System Values | ||||
| · User Profiles | ||||
| · Resource Security | ||||
| · Adopted Authority | ||||
| · System Utilities | ||||
| · IBM Supplied User Profiles | ||||
| · History Logs and Audit Journals | ||||
| · Network Communications | ||||
| · Physical Security | ||||
| · Other | ||||
1. This document "IBM AS/400 Information Security Audit Program" has been prepared as a guide for audit support engagements.
2. This audit program which forms part of the standard CAS workpapers is intended to guide our work on information security in an IBM AS/400 environment.
3. To tailor this audit program for an individual audit engagement, the following should be considered:
. The background information on computer hardware, operating software, accounting applications and the computer control structure which have been documented in the "Accounting Process Profile".
. Information security controls that have been identified during the risk assessment phase of the audit. These may include controls that address specific identified risks and/or potential-errors.
4. Please note that out of the four EDP general control areas, this audit program addresses information security only. For background information on IBM AS/400 or information on any of the four EDP general control areas, please refer to the booklet "IBM AS/400 Overview and Audit Considerations Guide".
| IBM AS/400 – INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |
| System Values | Y/N | |||
| Objective To ensure that system values have been set up in a manner which promotes control. Audit Steps . Obtain the system value listing for: Operational Related System Values . QSECURITY . QMAXSIGN . QINACTITV . QLMTDEVSSN Password System Values . QPWDMINLEN . QPWDEXPIRTV Command: DSPSYSVAL (Q.....) OUTPUT (*PRINT) . Review listing for adequacy of the values. Minimum recommended system values are: . QSECURITY Level 30 . QMAXSIGN 3 attempts . QINACTITV 45 minutes . QLMTDEVSSN 1 . QPWDEXPIRTV 30 . QPWDMINLEN 5 | ||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| User Profile / Menu Security | Y/N | |||||
| Objective To ensure validity of users and proper segregation of duties: . between User Department (end-user) and EDP . within the EDP department Audit Steps . Obtain a summary listing of all users. DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) . Review listing and: . Check validity of users . Ensure that each user has been assigned a unique user profile. . Ensure users have been assigned to the appropriate user class. User classes are:
- *SECOFR - *SECADM - *PGMR - *SYSOPR - *USER . Where users have been assigned to a Group profile, ensure that assignment is appropriate eg programmers should not be assigned to a group profile with user class *SECOFR or *SECADM. . Select a sample of users from the summary list and print their user profile: DSPUSRPRF USRPRF (USER-ID) TYPE (*ALL) OUTPUT (*PRINT) | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| User Profiles / Menu Security | Y/N | |||||
. Review user profiles selected. Check the following: . For end-users (generally these belong to the *USER class) check the following: - an initial program or an initial menu has been implemented. - with an initial program the initial menu should be set at *LOGOUT to ensure the user exits out if this system aborts due to processing problems. - limited Capability is set to *YES (Note: Limited Capability must be set to YES in order for initial menu/program to function effectively) - the initial programs or menus do not give the user access to the Command Line (CL). - users have not been allocated any special authorities. If *JOBCTL has been authorized ensure that users only have access to their own output and job queue. . For User profiles, - without initial programs or menus - who are not limited capability users - with special authorities: - *ALLOBJ - *SAVSYS - *SECADM - *SPLCTL - *SERVICE - *JOBCTL ensure that such access is appropriate. | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| Resource Security | Y/N | |||||
| Objective To ensure that production data and program files are protected from unauthorized access and modification. Audit Steps . Obtain a listing of all libraries in the system: DSPOBJD OBJ (ALL) OBJTYPE (*LIB) OUTPUT (*PRINT) . Ensure that: . Production objects are held in a separate library to development objects . Production source modules are held in a separate library to the production executable modules . Obtain a listing of objects and authorities for critical libraries (including QSYS, CL programs): DSPOBJAUT OBJ (library-name) OBJTYPE (*LIB) OUTPUT (*PRINT) . Obtain listing of authorities to critical objects (data files, programs - source and executable versions, critical utilities): DSPOBJAUT OBJ (data file name) OBJTYPE (*FILE) OUTPUT (*PRINT) DSPOBJAUT OBJ (program name) OBJTYPE(*PGM) OUTPUT(*PRINT) Note: This may not need to be produced if the site is not relying on object security or if menu and library security is adequate.
| ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| Resource Security | Y/N | |||||
| . Review authority listings and evaluate the adequacy of profiles allowed access and the level of access. . Ensure that programmers have a maximum right of *READ to production libraries, data files and programs . Ensure that other EDP personnel have the appropriate rights assigned. . Ensure that users with access rights to productions libraries and objects other than *READ are properly authorized by management. . Ensure that production libraries and objects are not owned by programmers or users. . If an object has an authorization list, obtain a print out of the list and evaluate adequacy of the profiles allowed and the level of access. | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| Adopt Authority | Y/N | |||||
| Objective To ensure the validity of programs which adopt the authority of production programs or privileged users. Audit Steps . List all programs that are owned by the QSECOFR and users with special authority *ALLOBJ or *SECADM. DSPPGMADP USRPRF(user-profile-name) OUTPUT(*PRINT) DSPOBJAUT OBJ(library-name/object name) OBJTYPE(*PGM) OUTPUT(*PRINT) Note: These tasks may consume substantial machine resources. It may be advisable to refer to the client's technical support function prior to running these procedures or to run these jobs at a low usage time. . Inspect programs owned by the user or which adopt the owner's authority and ensure that programs do not give the user access to command entry while running under the adopted profile. . Check validity of users who have access to programs that adopt the privileged owner's authority. | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| System Utilities and Commands | Y/N | |||||
| Objective To ensure that access over system utilities and security related CL commands is restricted to authorized users. Audit Step . Obtain library and object authority listings to system libraries, utilities and tools including: - SQL - DFU - AS/400 Query Command: DSPOBJAUT(QIDU) OBJTYPE(*LIB) OUTPUT(*PRINT) DSPOBJAUT(object-name eg DFU) OBJTYPE(eg. *CMD, *PGM, *FILE) OUTPUT(*PRINT) . Obtain object authority listing to critical security related commands including: - PWRDWNSYS - VRYCFG - WRKUSRPRF - CHGPRF - SAVSYS - WRKSYSSTS - CRTJOBD - CHGJOBD - STRSST - STRSQL - CRTAUTHLR - DLTAUTHLR - CRTAUTL - DLTAUTL - EDTAUTL | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | |||
| System Utilities and Commands | Y/N | |||||
Command: DSPOBJAUT (*CMD) . Review above authority listings: . Ensure that Public Access is *EXCLUDE . Evaluate the appropriateness of access; eg the system operator should be the only user with access to PWRDWNSYS, VRFCRG, SAVSYS and WRKSYSSTS commands. . Inquire of the system manager whether users are allowed to access the following system request functions and evaluate adequacy of access: . Transfer to alternate Job . End previous request . Display system operator messages. | ||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| IBM Supplied Profiles | Y/N | ||||||
| Objective Ensure that IBM assigned passwords for standard profiles have been changed from the default values. Audit Steps Attempt to sign-on the following IBM Supplied User Profiles using IBM default password (i.e. same as user name): User Name Security Officer QSECOFR Programmer QPGMR System Operator QSYSOPR Workstation User QUSER Service QSRV Service Basic QSRVBAS Verify that the following IBM-supplied user profiles have a password of *NONE to prevent users from signing on with these profiles: QAUTPROF, QBRMS, QDBSHR, QDFTOWN, QDOC, QDSNX, QFNC, QGATE, QLPAUTO, QLPINSTALL, QMSF, QNETSPLF, QNFSANON, QSNADS, QSPL, QSPLJOB, QSYS, QTCP, QTSTRQS. | |||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| History Logs / Audit Journals | Y/N | ||||||
| Objective To ensure that security violations are recorded, monitored and followed up on a timely basis. Audit Steps . Review the QAUDLVL system value and evaluate the level of auditing on the system. Valid system values for QAUDLVL are: *NONE No security events are logged *AUTFAIL Each authority (object access) failure is logged *DELETE Each delete operation is logged *SAVRST Each restore operation is logged *SECURITY Logs an entry for each security related function including: . Changing object authority . Creating, changing, deleting, displaying and restoring user profiles . Changing system values . If QAUDLVL is set at NONE, inquire whether the system history log (QHIST) is utilized to monitor security violations. . If hardcopy of logs is not retained, a listing of security messages relating to specific events may be obtained from the system history log: Command: DSPLOG LOG(*QHST) PERIOD((start-time start-date)(end-time end-date)) MSGID(message-id) OUTPUT(*PRINT) (Security related messages are those with message-id in the CPF22.. range. Refer to IBM's CL programmer's guide.) | |||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| History Logs / Audit Journals | Y/N | ||||||
Or Audit Journal: Command: DSPJRN QAUDJRN. . Discuss security violations with the Security Officer. | |||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| Network / Communications | Y/N | ||||||
| Objective To ensure that remote access by users is appropriately controlled. Note: The introduction of networks into an organization can expose the organization to potential security problems. Audit Steps . Inquire of the system manager if users have remote access and/or review user profiles to determine which users have remote access. . Assess if access is appropriate. . Check that automatic sign-ons from remote systems are appropriately controlled.
DSPSYSVAL(QRMTSIGN) OUTPUT(*PRINT) Valid QRMTSIGN values are: . 0 Remote sign-on is not allowed . 1 User is required to sign-on . 2 Remote sign-on is allowed including by-pass of sign-on display. Value should not be greater than 1. | |||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| Network / Communications | Y/N | ||||||
. Obtain the following network attribute listings to determine if the system processes requests from attached personal computers or another system. DSPNETA (...) OUTPUT(*PRINT) ... DDMACC To determine how the AS/400 as a remote system process requests from other systems. ... PCSAAC To determine how requests from an attached PC are processed. . Review above listing and ensure that requests are processed in a controlled manner. There are three processing options: *REJECT Rejects all PC Support or DDM requests to prevent access. *OBJAUT Uses object authorization support to determine which users have access. *USERWRITTEN Uses userwritten programs to control/restrict PC Support users or DDM access. | |||||||
| IBM AS/400 - INFORMATION SECURITY | W/P Ref. | Exceptions | Date | ||||
| Physical Security | Y/N | ||||||
| Objective To ensure that the keylock is set to prevent any unauthorized user from performing manual turn off of the system, initial program load, and use of dedicated service tools function. Audit Steps . Check keylock switch and ensure that it is set to a secure position (preferably SECURE or AUTO position). . Ensure that the key is removed from the switch and control over this should be reserved to the System Manager. | |||||||
Appendix A: AS/400 CL (Control Language) Program
The following program was designed to gather security, network, user profile, and command information from the AS/400. An AS/400 programmer should be able to use this code as a template for a CL program to pull audit information from the company’s box.
50 PGM
100 WRKSYSVAL OUTPUT(*PRINT)
200 DSPOBJAUT OBJ(QSYS/QSYS) OBJTYPE(*LIB) OUTPUT(*PRINT)
300 MONMSG MSGID(CPF0000)
400 DSPNETA OUTPUT(*PRINT)
500 ANZDFTPWD ACTION(*NON)
600 DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) OUTPUT(*PRINT)
700 DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)
750 /***** CREATE OUTFILE OF USER PROFILE INFORMATION ***************/
800 DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) +
900 OUTFILE(?/USRPRFS)
950 /****** RUN QUERY (ALREADY CREATED) TO EXTRACT NEEDED +
960 INFORMATION **********/
1000 RUNQRY QRY(USRPRFS) QRYFILE((USRPRFS))
1100 DLTF FILE(USRPRFS)
1200 MONMSG MSGID(CPF0000)
1300 DSOBJAUT OBJ(QSYS/CHGNETA) OBJYPE(*CMD) +
1400 OUTPUT(*PRINT)
1500 DSOBJAUT OBJ(QSYS/CHGSYSVAL) OBJYPE(*CMD) +
1600 OUTPUT(*PRINT)
1700 DSOBJAUT OBJ(QSYS/DLTLIB) OBJYPE(*CMD) +
1800 OUTPUT(*PRINT)
1900 DSOBJAUT OBJ(QSYS/CLRLIB) OBJYPE(*CMD) +
2000 OUTPUT(*PRINT)
2100 DSOBJAUT OBJ(QSYS/CRTLIB) OBJYPE(*CMD) +
2200 OUTPUT(*PRINT)
2300 DSOBJAUT OBJ(QSYS/CHGLIB) OBJYPE(*CMD) +
2400 OUTPUT(*PRINT)
2500 DSOBJAUT OBJ(QSYS/DLTF) OBJYPE(*CMD) +
2600 OUTPUT(*PRINT)
2700 DSOBJAUT OBJ(QSYS/CLRPFM) OBJYPE(*CMD) +
2800 OUTPUT(*PRINT)
2900 DSOBJAUT OBJ(QSYS/STRCMNTRC) OBJYPE(*CMD) +
3000 OUTPUT(*PRINT)
3100 DSOBJAUT OBJ(QSYS/STRSST) OBJYPE(*CMD) +
3200 OUTPUT(*PRINT)
3300 DSOBJAUT OBJ(QSYS/PWRDWNSYS) OBJYPE(*CMD) +
3400 OUTPUT(*PRINT)
3500 DSOBJAUT OBJ(QSYS/CRTQMQRY) OBJYPE(*CMD) +
3600 OUTPUT(*PRINT)
3700 DSOBJAUT OBJ(QSYS/WRKQRY) OBJYPE(*CMD) +
3800 OUTPUT(*PRINT)
3900 DSOBJAUT OBJ(QSYS/STRDFU) OBJYPE(*CMD) +
4000 OUTPUT(*PRINT)
4100 DSOBJAUT OBJ(QSYS/CHGDTA) OBJYPE(*CMD) +
4200 OUTPUT(*PRINT)
4300 DSOBJAUT OBJ(QSYS/UPDDTA) OBJYPE(*CMD) +
4400 OUTPUT(*PRINT)
4500 ENDPGM
The query should be designed to extract the following fields:
∙User Profile (User ID)
∙Previous sign-on
∙Status
∙Password expiration interval
∙User class
∙Special authority
∙Group profile
∙Owner
∙Supplemental groups
∙Current library
∙Initial program and library
∙Initial menu and library
∙Limit capabilities
∙Text
∙Display sign-on information
∙Limit device sessions
∙Job description and library
∙Accounting code
∙Object auditing values
∙Action auditing values
APPENDIX B: System Parameters
There are a number of global system parameters within the AS/400 system which determine how the system will operate. Included in these are parameters which determine the level of security that will be enforced by the system.
Recommended values for the security related parameters are described in detail below. The recommended security parameters are as follows:
| System Parameter | Initial Value | Recommended Value | Comments |
Sign-On Related Parameters | |||
| QDSPSGNIN (Display Sign-On Information) | 0 | 1 | If the value is set to 1, the date of last sign-on and previous invalid sign-on attempts are displayed to the user. Users should be instructed to review this information and report any suspected attempts at misuse of their user ID. |
| QMAXSNGACN (Action to Take for Failed Sign-On Attempts) | 3 | 3 | In the event of too many invalid sign-on attempts, this will disable the user profile as well prevent any more sign-on attempts from that device. The maximum number of invalid sign-on attempts that is allowed is determined by the next parameter. |
| QMAXSIGN (Maximum Number of Sign-On Attempts) | 5 | 3 | This restricts the number of times a user can incorrectly attempt to sign-on to the system before being disabled. The action taken by the system when this number is exceeded is determined by the preceding parameter. |
| Password Related Parameters | Passwords are the principal means for ensuring that access to the computer system is secure. As such, it is therefore important that adequate controls over passwords are implemented to ensure that they are not easily compromised. The following parameters control passwords used to access the AS/400. | ||
| QPWDEXPITV (Password Expiration Interval) | *NOMAX | 30 to 60 | A password change interval of 30 to 60 days is recommended. If a standard change interval has been established for the LAN environment, we recommend that a similar interval be established for the AS/400. |
| QPWDLMTAJC (Limit Adjacent Digits in Password) | 0 | 1 | This will restrict users from using adjacent digits in a password. By doing so, users will be prevented from using easy to guess passwords such as their birth dates, or social security numbers. |
| QPWDLMTCHR (Limit Characters in Password) | *NONE | *NONE | This parameter allows one to prevent users from using certain characters in their passwords. It is not considered practical or necessary to restrict the use of certain characters. |
| QPWDLMTREP (Limit Repeating Characters in Password) | 0 | 1 | This limits the use of repeating characters within passwords, thus improving the level of password security. For example, users cannot use “AAAAA” as a password. |
| QPWDMAXLEN (Maximum Length of Passwords) | 10 | 10 | This limits the length of a password to 10 alphanumeric characters. |
| QPWDMINLEN (Minimum Length of Passwords) | 3 | 5 | This forces passwords to a minimum length of 5 alphanumeric characters. |
| QPWDPOSDIF (Limit Password Character Positions) | 0 | 0 | This means characters can be used in the same position from one password to the next. Although a value of 1 would restrict users from using characters in the same position from one password to the next, and therefore enforce greater password security, this is not considered practical. |
| QPWDRQDDGT (Require a Digit in the Password) | 0 | 1 | This forces users to use at least one digit in their passwords, thereby increasing password complexity. |
| QPWDRQDDIF (Duplicate Password Control) | 0 | 1 | This prevents passwords from being reused for 32 generations for a user ID. |
| Inactive Terminal Parameters | The following parameters are used to control whether the system takes action if a display has been signed on but not been used for a specified period time. | ||
| QINACTITV (Inactive Job Time-Out) | *NONE | 30 | The system will automatically log a user off the system after 30 minutes of inactivity. The action that the system will take when the time limit expires is determined by the value of the next parameter. |
| QINACTMSGQ (Inactive Job Message Queue) | *DSCJOB | *DSCJOB | When the time limit set by QINACTITV expires, the system will disconnect the inactive job. By disconnecting as opposed to ending the job, the job is only temporarily suspended and will resume when the same user signs on again at the workstation. |
| QDSCJOBITV (Time Interval before Disconnected jobs end) | 180 | 180 | This parameter determines how long jobs which have been suspended by the system will be maintained before the system automatically ends them. |
| General Security Parameters | |||
| QLMTDEVSSN (Limit Device Sessions) | 0 | 1 | This will limit concurrent device sessions for a specific user. Most users should not need more than one session. For users that require multiple sessions, this can be overridden in their user profile. |
| QLMTSECOFR (Limit Security Officer Device Access) | 0 | 0 | This will allow the security officer to use any device to gain access to the system. |
| QRMTSIGN (Remote Sign-On) | *VERIFY | *FRCSIGNON | This requires all remote users to sign-on through regular sign-on procedures. A value of *VERIFY, allows users to bypass normal sign-on procedures. |
| QSECURITY (Security Level) | 30 | 30 | This parameter determines the overall level of security for the AS/400. The following levels are supported: Level 10: The lowest level. Minimal security is enforced. No password is required - users are simply required to enter a user id to access the system. Level 20: At this level, users are required to use passwords, and initial menu/program security can be enforced. However, users still have access to all objects unless specifically restricted from having such access. Level 30: Requires use of a user id and password. At this level, the system automatically prevents users from accessing objects (files, directories, etc) and system resources unless they have been explicitly authorized to do so. This is the recommended setting. Level 40: Similar to Level 30, but programs that attempt to access objects through interfaces that are not supported will fail. |
| QAUDLVL (Security Auditing Level) | *SECURITY | *SECURITY | This ensures that all security related functions are audited and stored in a log file for review and follow-up. |
APPENDIX C: User Profiles
To ensure individual accountability, each authorized user should be assigned a unique user ID and given a unique, confidential password for gaining access to the system. User profiles should be used in combination with group profiles to control user access to programs, data and system resources.
User Class
The user class determines the default privileged access authorities which are assigned to users. The user class assigned to a user should be based on their particular roles and responsibilities (See Roles and Responsibilities section). The following user classes are available:
Security Officer (*SECOFR): This is the highest level of security for the AS/400 and should be restricted to the System Manager, Security Administrator and Backup Security Administrator. Users with this status have access to all resources on the AS/400.
Security Administrator (*SECADM): This class is for users who are required to perform security administration tasks such as adding, modifying or deleting user profiles, but do not require all of the privileges given to the Security Officer.
Programmer (*PGMR): This class is for programmers only, and allows them privileges which are not usually granted to users, such as the ability to access the command line and use tools such as Query, etc.
Operator (*SYSOPR): This class of user is for those persons who need to perform certain computer operations like backing up program and data files, and controlling output queues. Operator privilege should therefore be restricted to the Computer Operations staff.
User (*USER): This class is for those persons who require no special authorities. All employees who do not fall into one of the classes above should be assigned to this class.
APPENDIX D: Special Authorities
Special authorities allow users to perform certain system functions, such as save/restore functions, job manipulation, spool file manipulation, and user profile administration. They work in conjunction with the User Class as described above.
The following special authorities are available:
All Object (*ALLOBJ): Users provided with this authority are allowed to access any object on the AS/400 system i.e. they can access everything. This authority should only be granted to users with Security Officer status.
Security Administration (*SECADM): Users provided with this authority can add, change and delete users and user profiles.
Save System (*SAVSYS): Users provided with this authority can save and restore any AS/400 objects to which they are authorized.
Job Control (*JOBCTL): Users provided with this authority can change, display, hold, release, cancel, and clear all jobs on the system.
Service (*SERVICE): Users provided with this authority can perform functions with the System Service Tools. These tools provide numerous capabilities including the ability to trace data on communication lines. This capability should only be granted to users with Security Officer status, and to IBM Service personnel on an as needed basis.
Spool Control (*SPLCTL): Users with this authority can delete, display, hold or release files owned by other users.
None (*NONE): Users with this authority have no access to any of the special authorities described above.
The default special authorities assigned by the system are based on the value specified in the User Class parameter. The following table displays the special authorities assigned by default to the various user classes.
| User Class | Special Authorities | |||||
| *SECOFR | *ALLOBJ | *SECADM | *SAVSYS | *JOBCTL | *SERVICE | *SPLCTL |
| *SECADM | *SECADM | *SAVSYS | *JOBCTL | |||
| *PGMR | *SAVSYS | *JOBCTL | ||||
| *SYSOPR | *SAVSYS | *JOBCTL | ||||
| *USER | *NONE (NO SPECIAL AUTHORITIES ARE ASSIGNED) | |||||
Limit Capabilities
The Limit Capabilities parameter can be used to prevent users from modifying their current library, attention key program and initial menu and program as well as to limit their ability to execute system commands.
Limit Capabilities = *YES is the most restrictive control as it prevents users from changing any of their initial program, menu and library settings as well as restricting them from entering system commands.
Limit Capabilities = *PARTIAL allows users to change their initial menu settings as well as run certain system commands.
Limit Capabilities = *NO is the least restrictive as the user with this setting can change anything on their sign on screen and run all system commands.
The following table displays the recommended limit capability settings for the various classes of users:
| LIMITED CAPABILITY SETTING | |||
| USER CLASS | *YES | *PARTIAL | *NO |
| *SECOFR | X | ||
| *SECADM | X | ||
| *PGMR | X | ||
| *SYSOPR | X | ||
| *USER | X | ||
The value for the “Set password to expired” field should be set to *YES. This will ensure that users are required to change new passwords immediately and that they are the only persons with knowledge of their passwords.
Initial Menu and Initial Program
Users should be restricted to the initial program and menus that they require for their job-related responsibilities. By restricting users in this way, they will be forced to operate within the constraints of a predefined menu, and in conjunction with the Limited Capabilities will be prevented from issuing operating system commands.
System Value Settings
The values of the following security related parameters in the user profiles should be set to *SYSVAL (i.e. they will automatically default to the same value as the parameter established in the System Parameters file):
∙Sign-on attempts not valid
∙Password expiration interval
∙Display sign-on information
∙Limit device sessions
∙Attention program
Default User Profiles
There are a number of user profiles which are supplied by IBM with the AS/400 system. The passwords for these profiles is always the same as the user ID and therefore changing these passwords after installation is essential to prevent unauthorized persons from accessing the system. The new passwords should be written down and kept in a sealed envelope which is stored in a secure place. The passwords for the following IBM supplied user profiles should be changed:
∙QSECOFR
∙QSYSOPR
∙QPGMR
∙QUSER
∙QSRV
∙QSRVBAS
During system maintenance, it may be necessary to provide the IBM representatives with the passwords to the QSRV and QSRVBAS profiles. It is important that once they have completed their work, the passwords are changed again immediately. The QSECOFR ID should only be used in the event of AS/400 system upgrades or in other cases only if absolutely needed.
APPENDIX E: Security Roles & Responsibilities
The following structure for administration and management of the AS/400 security is recommended:
A brief description of these roles is outlined below:
System Manager
The System Manager is responsible for overseeing all activities performed on the AS/400 system, including backup, computer operations, performance monitoring, hardware maintenance/upgrades, installation of system software upgrades and security.
The System Manager’s responsibilities relating to security include:
∙Setting security policies and procedures for the AS/400 system
∙Determining the appropriate configuration of system parameters which affect security
∙Monitoring the activities of the security administrator, and ensuring that security procedures are being followed
∙Ensuring that either the Security Administrator or the Backup Security Administrator are present to perform security related tasks
∙Reviewing security violations and determining appropriate action to be taken
The System Manager should also be responsible for maintaining the password to the QSECOFR user ID. This ID has access to all system resources and should only be used in an emergency situation.
Security Administrator
The Security Administrator’s responsibilities include:
∙Assigning unique user IDs and individual passwords to users
∙Controlling accesses to data, programs and resources through maintenance of individual and group user IDs.
∙Resetting lost or forgotten passwords
∙Resetting user IDs and workstations of users who are locked out of the system after too many incorrect sign on attempts
∙Disabling user IDs assigned to employees who are terminated, retired, separated or transferred.
∙Assigning user classes and special authorities (such as *JOBCTL) as authorized by management.
∙Maintaining the passwords for the default IBM supplied user IDs, except for QSECOFR
∙Issuing temporary user IDs and passwords to authorized vendor personnel (e.g. IBM service staff) and ensuring that the passwords are changed or the IDs removed from the system after the vendors have completed their tasks
∙Controlling dial-up access by employees and external vendors and maintaining a log of all dial-up access sessions
∙Monitoring security and reviewing security related audit reports
∙Reporting security violations to the System Manager
Backup Security Administrator
The Backup Security Administrator should be trained so that they are able to perform all of the tasks that the Security Administrator performs. The Backup Administrator should only perform security-related tasks when the Security Administrator is unavailable. This will ensure that there is always someone available to perform security-related tasks such as setting up new users and resetting user IDs and passwords.
Recommended User Classes
The following user classes are recommended for the System Manager, Security Administrator and Backup Security Administrator user IDs. In all cases, it is recommended that they have one user ID to perform their regular job functions and a separate ID which they use to perform system or security related functions.
| USER CLASS | ||
| ROLE | *SECOFR | *SECADM |
| System Manager | X | |
| Security Administrator | X | |
| Backup Security Administrator | X | |
APPENDIX F: Other Security Issues
Access Request Procedures
Access request procedures for the AS/400 should be formalized. It is recommended that AS/400 access requests be channeled through the application support supervisors. That is, all requests for AS/400 access would first be sent to them and they, in turn, would request the AS/400 Security Administrator to create or change a user profile on the AS/400.
Users should request access to a particular application from the appropriate application support supervisor. If the application support supervisor approves the access request, they should send an E-mail to the Security Administrator requesting an AS/400 user ID. Upon receiving the E-mail, the Security Administrator should create the user profile and then send an E-mail back to the application support supervisor confirming that the user profile has been created. Hard copies of the E-mail requests from the application support supervisors should be maintained by the Security Administrator as evidence of access approval
Resetting of User IDs and Passwords
In the event that a user forgets their password, or incorrectly attempts to sign on to the AS/400 more than three times and is locked out, they should immediately contact the Security Administrator or his designated backup. The Security Administrator is responsible for verifying that a user who has forgotten their password or is locked out of the system is actually the person they claim to be and not an impostor. In this regard, users should be required to repeat the first four digits of their social security numbers to the Security Administrator as a means of verification.
Dial-In Access
The AS/400 contains a built-in modem which allows remote access capabilities. Access to the system by employees or outside vendors using this modem should be restricted to those persons authorized by Management. In order to control remote access, the modem should be turned off when not in use, and should only be activated by the Security Administrator. When someone requires access, they should contact the Security Administrator and request that the modem be activated. If the Security Administrator is satisfied that the person is allowed to access the system via modem, they will activate the modem and allow the person to access the system. The modem should be turned off again by the Security Administrator once the person has completed their task. The Security Administrator should maintain a log of all remote accesses using this modem. The following information should be maintained in the log:
∙Date and time of access
∙Person accessing the system
∙Reason for access
User Department Responsibilities
Responsibilities of the user departments should include:
∙Administering and maintaining all application related security
∙Providing user support for application system queries or problems
∙Coordinating and liaison with IS regarding hardware requirements and any other system related issues which affect the application
∙Liaison with application vendors and IS regarding software upgrades and program changes
∙Coordinating with the IS department regarding vendor access to the system
∙Submitting requests for changes and enhancements to the application vendors
∙Maintaining a log of all changes and enhancements requested and implemented
∙Communicating problems to application vendors
∙Participating in user support group meetings.
∙Evaluating user needs for custom reports and developing such reports, either internally or with external assistance
∙Maintaining application system tables and master files
∙Developing, maintaining and enforcing application related policies and procedures下载本文
