|
|
|
 |
| RESOURCES & DOWNLOADS
|
|
|
 |
|
|
 |
|
"As a public company, if it comes out in an external audit that we're not compliant with the current laws, that affects our stock price. That's a cost you really can't calculate."
Gavin Inman, Stryker Corporation,
Interdivisional Database Administrator |
|
| |
|
| Q: I need to be able to tell when someone tries to access a file or a program that they are not authorized to. I have the authority set up correctly on the objects, but I never get any messages. How can I tell if it is working?
|
|
| A: The Security Audit Journal (QAUDJRN) can record all attempts to access an object without proper authority. To accomplish this, first ensure that the system value QAUDCTL is set to (at least) *AUDLVL and the system value QAUDLVL includes the value *AUTFAIL. Once these settings are in place, the security audit journal will record invalid access attempts in the QAUDJRN receivers. These entries will bear the journal code of "T" and the journal type of "AF." You can either pull these entries out of the journal with a homegrown query or purchase a more sophisticated auditing tool that was built for this task.
|
|
| Q: Our Network guys need to be able to create and delete device descriptions on the iSeries, so I put *IOSYSCFG authority in their profiles. But this only allows each user to delete device descriptions that user created - what's going on here?
|
|
| A: *IOSYSCFG give them the necessary authority to work with device descriptions, but it does not automatically make them authorized to delete any objects (including device descriptions) that the user is not authorized to. There are a couple of easy ways to rectify the situation - My preferred method would be to create an Authorization List for all device descriptions and then grant the Network guys *ALL Access to the devices secured by the authorization list. When a network person creates a device description, they just have to remember to attach the authorization list. The bonus is that if they are just copying new device descriptions from existing DEVD's, the authorization list would be copied automatically.
|
|
| Q. How can I tell which profiles on my system are IBM profiles and which ones were added by someone here?
|
|
A. IBM profiles all start with the letter "Q", but clearly not every profile that starts with a "Q" is guaranteed to be IBM supplied. For starters, here is a list of the "Q" profiles that are on a recently installed V5R3 system:
QAUTPROF IBM-supplied User Profile
QBRMS IBM-supplied User Profile
QCLUMGT IBM-supplied User Profile
QCLUSTER IBM-supplied User Profile
QCOLSRV IBM-supplied User Profile
QDBSHR Internal Data Base User Profile
QDBSHRDO Internal Data Base User Profile
QDFTOWN Default Owner for System Objects
QDIRSRV OS/400 Directory Services Server User Profile
QDLFM IBM-supplied User Profile
QDOC Internal Document User Profile
QDSNX IBM-supplied User Profile
QEJB IBM-supplied User Profile
QEJBSVR IBM-supplied User Profile
QFNC IBM-supplied User Profile
QGATE IBM-supplied User Profile
QIPP IBM-supplied User Profile
QLPAUTO IBM-supplied User Profile
QLPINSTALL IBM-supplied User Profile
QMGTC IBM-supplied User Profile
QMSF Mail Server Framework Profile
QNETSPLF Internal Spool Network Profile
QNFSANON IBM-supplied User Profile
QNTP IBM-supplied User Profile
QPEX IBM-supplied User Profile
QPGMR Programmer and Batch User
QPM400 IBM-supplied User Profile
QRJE IBM-supplied User Profile
QSECOFR Security Officer
QSNADS IBM-supplied User Profile
QSPL Internal Spool User Profile
QSPLJOB Internal Spool User Profile
QSRV Service User Profile
QSRVAGT IBM-supplied User Profile
QSRVBAS Basic Service User Profile
QSYS Internal System User Profile
QSYSOPR System Operator
QTCM IBM-supplied User Profile
QTCP Internal TCP/IP User Profile
QTFTP IBM-supplied User Profile
QTMHHTP1 HTTP Server CGI User Profile
QTMHHTTP HTTP Server User Profile
QTMPLPD ALLOW REMOTE LPR REQUESTERS
QTMTWSG 5250 HTML WORKSTATION GATEWAY PROFILE
QTSTRQS Test Request User Profile
QUSER Work Station User
QYCMCIMOM IBM-supplied User Profile
QYPSJSVR IBM-supplied User Profile
Now, this is not a comprehensive list of all possible IBM profiles, because the License Program Products that you have installed can affect which profiles are created on your system but it is a good start. If you really want to be sure that a profile is IBM supplied, use the DSPOBJD command on the profile and look at its creation information. If the profile was created on system "00000000" by user "*IBM", it's an excellent bet that the profile was shipped with the Operating system. Any other profile would be either suspect.
|
|
| > July Archive
|
| |
|
 |
 |
| Dan Riehl is a world renowned security expert. He can be reached at dan.riehl@powertech.com |
John Earl is one of the nation's foremost security experts, with speaking engagements throughout the world. He regularly keynotes conferences and international symposiums and advises many of the Global 500 on their security programs. John can be reached at john.earl@powertech.com |
|
|
|
|
|
 |
|
|
|
