DATASHEET (CYBERSECURITY)

IBM i Security Standard

PRODUCT SUMMARY

1.0 Physical Security PU R PO S E

• Keep the computer system in a secure room, or in an area with limited The purpose of this IBM i Security
personnel access. Standard is to provide you with an
example of an IBM i (System i, iSeries,
• The computer room doors must have locks that can record who accessed AS/400) security configuration that
the computer room on any given date and time. adheres to security best practices.
You can use this standard and modify
• The computer room should have a limited number of windows, or no
it to match the requirements of your
windows. If there are windows, you should have adequate barriers or
organization’s security policy. This
alarms to prevent human access. standard is copyrighted material of
• Maintain a list of the people authorized to access the secured computer Fortra. There is no charge for its use.
Copying, distribution, and modification
room and keep it updated.
issues are covered in the terms of the
• Anyone who is not on the list of authorized computer room users must license agreement at the end of this
sign in to enter the computer room, be escorted while in the room, and document.
must sign out when they leave.

• The computer room must have adequate power and an uninterruptible

power supply (UPS) to ensure continuous operations if regular power is
unavailable. The UPS must provide adequate power for at least 10 minutes.

• The computer room must have a fire suppression system to minimize

harm to people and damage to equipment in the event of a fire.

2.0 Data Recoverability

• Test the data recovery strategy at least annually.

• Back up the entire system, including the operating system and software
utilities, quarterly.

• Back up business applications at least weekly.

• Back up data for business applications daily.

• Journal the data in database files to ensure up-to-the-second

recoverability.

• Back up journal receivers in such a way that you have a full year of journal
information that can be retrieved and restored easily.

Fortra.com
Fortra Guide IBM i Security Standard

• Encrypt all PII (personally identifiable information, such

4.0 User Profile Security
as driver’s license numbers, credit card numbers, and
• 4.1 – Common User Profile Parameters
passport numbers) being written to tape or use an
Set these user profile parameters for all system users as
encrypted tape device.
follows:
• Do not store the encryption keys on the same tape or in
–The text description must identify the user and their
the same receptacle as the encrypted data that can be
department.
unlocked with those keys.
–Set Display Signon Information to either “Yes”
• Store at least one version of backed-up data off-site.
(DSPSGNINF(*YES)), or to the System Value
• Transport all data moved off-site in locked storage
(DSPSGNINF(*SYSVAL)).
boxes.
–Set Password Expiration Interval to the System Value
• Keep a copy of the inventory of the contents of each
(PWDEXPITV (*SYS VAL)). Only set this to PWDEXPITV(
locked storage box in a different locked box and keep a
*NOMAX) for service accounts.
master inventory list of the contents of all locked boxes.
–The public authority for the profile must remain at the
3.0 Data Access Security default of “Exclude” (AUT(*EXCLUDE)).
• Only users with a demonstrated business need should
be authorized to read or change data.
• 4.2 – Non-IT User Profile Parameters
• IT staff must not have access to production data
without authorization. When IT staff needs access to Set the User Profile parameters for a non-IT user as

production data, all of their activity must be audited. follows:

• Do not replicate production data to any test –Set the User Class to “User,” (USR CLS(*USER)).

environment without cleaning and scrambling sensitive –The Initial Program must be a program name and
data. Sensitive data is defined as PII and confidential a library name (not “*LIBL”) that restricts the user to
company information. only the business applications they need for their job:

• Confidential information must not be copied from (INLPGM(MyLib/MyPgm)).

a system or removed from the premises without
authorization.
• Sign-on security: Modify the default sign-on display for
an IBM i Telnet session as follows:
–Remove the Menu, Program, and Library fields from the
default 5250 sign on.
–Set the Initial Menu to “Signoff,” (INLM NU(*SIGNOFF)).
–Set the Limit capabilities parameter to “Yes,”
(LMTCPB(*YES)).
–Set the Special Authority parameter to “None,”
(SPCAUT(*NONE)).

–Reword the default error messages for invalid

• 4.3 – System Operator User Profile Parameters
password and invalid user to “user profile or password
not valid” to avoid providing clues to the problem. Set the User Profile parameters for a system operator as
follows:
–Add a statement that declares that the system is the
private and proprietary property of the organization –Set the User Class to “System Operator,”

and that access is allowed only through prior (USRCLS(*SYSOPR)).

authorization. –Set the Initial Menu to either the IBM i Main Menu
(INLMNU(MAIN)), or to another appropriate menu.

–Set the Limit capabilities parameter to “Partial,”

(LMTCPB(*PARTIAL)).

Fortra.com Page 2
Fortra Guide IBM i Security Standard

• 4.4 – Application Programmer User Profile Parameters
Set the user profile parameters for an application
programmer as follows:
–Set the User Class to “Programmer,” (USRCLS(*PGMR)).
–Set the initial menu to either the IBM i Main Menu
(INLMNU(MAIN)), or to another appropriate menu.
–Set the Limit capabilities parameter to “Partial,”
(LMTCPB(*PARTIAL)).
–Set the Special Authority parameter to “Job Control,”
(SPCAUT(*JOBCTL)).
–Any application programmers that need more special
authorities should receive those on a temporary, as-
needed basis.
–Users whose profiles have any IBM i special authorities
(*ALLOBJ, *SECADM, and so forth) must have
specific management authorization to those special
authorities.
–Limit the use of profiles with IBM i special authorities
to operational need. During the times that a special
authority is not required, the user should not have it
assigned to their active profile. Elevated privileges can
be provided by elevating to a more privileged account
via Powertech Authority Broker.
–Users with *ALLOBJ and/or *SECADM special authority
must have *CMD auditing CHGUSRAUD USRPRF(XXX)
AUDLVL(*CMD) configured.
–Produce a log of activity for each session of a powerful
user and review it.

• 4.5 – System Administrator User Profile Parameters

Set the User Profile parameters for a system • 4.7 – Group Profiles
administrator as follows:
–Configure group profiles with the following attributes:
–Set the User Class to “Security Officer,”
• SPCAUT(*NONE) – where possible
(USRCLS(*SECOFR)).
• PASSWORD(*NONE)
–Set the Initial Menu to either the IBM i Main Menu
• PWDEXPITV(*SYSVAL)
(INLMNU(MAIN)), or to another appropriate menu.
• STATUS(*DISABLED)
–Set the Limit capabilities parameter to “No,”
(LMTCPB(*NO)). • LMTCPB(*YES)

• INLPGM(*NONE)

• 4.6 – Powerful User IDs • INLMNU(*SIGNOFF)

Regularly review the list of powerful user profiles. A • ATNPGM(*NONE)

powerful user profile is defined as any profile that has
–Group profiles must not own application objects.
one or more IBM i special authorities, or has the ability to
–Group profiles must have a text description that
make direct updates to production data without using
clearly indicates the profile is a group profile.
an approved application interface.

”The integrity of any operating system depends not only on the existence of
robust security controls but also on the correct configuration of those controls.
Risk is elevated whenever either of those elements is lacking..“

Fortra.com Page 3
Fortra Guide IBM i Security Standard

• 4.8 – IBM-Supplied User Profiles –Do not use vendor-supplied user profiles as a group
profile, especially if the vendor-supplied profile owns
–Do not use IBM profiles as a group profile for any user.
application objects.
–IBM profiles must not own any objects created by users
on the system.
• 4.11 – Passwords
Exception: The QSECOFR profile must be the owner of all
–Keep passwords secret and do not share them with
other user profiles.
others.
–No user should be granted a private authority to any
–No IT person should ever ask a user to reveal their
IBM-supplied user profile.
password.
–The following IBM-supplied user profiles must have a
–No user should ever disclose their password to another
password of *NONE. They should be given a password
user for any reason.
only for authorized use of the profile:
–No user profile should ever have a default password,
either where the password is equal to the User ID name,
QSYSOPR QPGMR QUSER QSRV or the password is set to a published or known value.

• In V7R2 and later, set QPWDRULES to

QSRVBAS QBRMS QSRVBAS QBRMS
*LMTPRFNAME and *ALLCRTCHG to prevent default
QDESADM QDESUSR QEJB QEJBSVR passwords

QMGM QMQMADM QNETSPLF QNETWARE –User provisioning should set initial pass words. These
passwords should be generated randomly and the
QNFSANON QRJE QTCM QTIVOLI user should be required to change the password on
first use. Set PW- DEXP to *YES.
QTIVROOT QTIVUSER QTMHHTP1 QTMHTTP
–See the System configuration section of this document
QTMPLPD QUMB QUSER for the system value settings that control the password
composition rules.

• 4.9 – The QSECOFR Profile • 4.12 – Changing Passwords

–Have a defined process for managing (who can use
and change the password for) the QSECOFR user
profile.
–See Appendix A for a list of the people who have
the authority to use, or grant use to, the QSECOFR
password.
–Avoid using the QSECOFR profile. QSECOFR should only
be used to upgrade the operating system—not for
everyday use. In nearly every situation, a copy of the
QSECOFR profile with the same IBM i special authorities
will satisfy the organization’s needs.
• 4.10 – Non-IBM-Supplied User Profiles
–User profiles supplied or created by other vendors must
have a password of *NONE.
If a password is required, set it to be a strong
password—not a default.
–Change passwords at least every 90 days.
• QPWDEXPITV(90)
–A new password should be different from the last 10 of
the user’s passwords.
–When a profile is initially provisioned or if the Help Desk
or other facility changes a user’s password, it should
be configured to require that it be changed on first use.
• 4.13 – Inactive Users
–Disable all users that have not logged on to the system
in the last 60 days.
–Delete all users that have not logged on to the system
in the last 120 days.
–When a user is deleted, assign any objects owned by
that user to the user’s group profile or a profile created
to own these objects

Fortra.com Page 4
Fortra Guide IBM i Security Standard

5.0 System Configuration

• Review IBM i system values weekly to determine their
state of compliance.

• Set and maintain IBM i system values using the

following policy:

Value Policy Settings

QALWOBJRST *NONE

QALWUSRDMN Shall not contain the values *ALL

QAUDCTL *AUDLVL, *OBJAUD, *NOQTEMP

QAUDENDACN *NOTIFY

QAUDFRCLVL *SYS

*AUTFAIL *CREATE, *DELETE *OBJMGT *SYSMGT *SAVRST *SECURITY *SERVICE

QAUDLVL
*PGMFAIL, *PTFOPR (V7R2 and later)

QAUTOCFG 0

QAUTORMT 0

QAUTOVRT 100

QCRTAUT *EXCLUDE or modify the app

QCRTOBJAUD *NONE

QDEVRCYACN *DSCMSG

QDSCJOBITV 120

QDSPSGNINF 0 – set this value to 1 in administrator’s user profile

QFRCCVNRST 3

QINACTITV 15 (Note: if this value cannot be set, set a policy at the network to time-out the
workstation.)
QINACTMSGQ *DSCJOB

QMAXSGNACN 2 or 3

QMAXSIGN 5

QPWDEXPITV 90 (or less)

QPWDCHGBLK 24 (or greater)

QPWDLVL 3

Fortra.com Page 5
Fortra Guide IBM i Security Standard

Value Policy Settings

QPWDRULES *MINLEN8
*MAXLEN128
*DGTMIN1
*LMTPRFNAME
*REQANY3
*ALLCRTCHG (V7R2 and later

QPWDRQDDIF 5

QPWDVLDPGM *NONE

QRETSVRSEC 1

QRMTIPL 0

QRMTSIGN *VERIFY

QRMTSRVATR No recommendation

QSECURITY 40

QSHRMEMCTL 1

QSSL* Configured to allow *TLS12 and *TLS1.3 and the strongest ciphers supported by the
release

QUSEADPAUT An authorization list

QVFYOBJRST 3 or 5

Fortra.com Page 6
Fortra Guide IBM i Security Standard

6.0 Network Configuration Settings

• Set and maintain network configuration settings as
follows:

Value Policy Settings

DDMACC
Use Powertech Exit Point Manager

JOBACN
*REJECT (unless still using SNADS)

PCSACC
*REGFAC

• Install and configure Powertech Exit Point Manager to
log and control access through network access such
as FTP and ODBC.
• Root, QOpenSys, and /QSYS.LIB cannot be shared
• Regularly scan the IFS for malware using Powertech
Antivirus

• Restrict the QPWFSERVER authorization list to secure /

QSYS.LIB file system
7.0 Object Authorities
• The following can generally be set to *PUBLIC *USE

–Libraries where the general public can use the objects

9.0 Auditing
–Directories—DTAAUT(*RX) OBJAUT(*NONE) • Configure IBM i auditing.

–Programs, service programs • Retain Audit Journal receivers for at least 12 months.
–Display files • Set the QAUDLVL system values according to the System
–Message files Configuration section in this document.

• The following may need to be *PUBLIC *CHANGE • Turn on User Auditing for every powerful user on the
system.
–Libraries where temporary objects are being created
(e.g., queries)

–OUTQs, MSGQs

–DEVDs

• The following applies to *FILES:

–Files containing confidential or private data—*EXCLUDE

–Files containing data anyone can see—*USE

8.0 IFS (Integrated File System)

• Set Root (‘/’) , /home and QOpenSys directories to
DTAAUT(*RX) OBJAUT(*- NONE)

• Directories containing private data must be set

to DTAAUT(*EX- CLUDE) OBJAUT(*NONE) and only
authorized to those profiles that have a business to
access the data.

Fortra.com Page 7
Fortra Guide IBM i Security Standard

9.0 Other Topics for Consideration

• Output queue security

• Job queue security

• Monitoring database changes

• Authorities to sensitive programs

• Virus protection

• Encryption

– Sensitive information on disk

– Backup tapes

– Transmitted data

• Data classification policy

• PTF-level policy

• Programs that adopt authority

APPENDIX A
• The QSECOFR Profile

• In the space below, list everyone who has authority to

use or change the QSECOFR password:

Fortra.com Page 8
Fortra Guide IBM i Security Standard

License Agreement
This Fortra Security Standard is provided to you free of charge, but is still protected by copyright law. Your use of this policy is
subject to the terms and conditions below:

1. Give us credit! You may copy and distribute this policy, provided you conspicuously publish a copyright notice (© 2024 Fortra)​
and always include the disclaimer of warranty and the part where we warn you that we’re not going to be liable for the
consequences of anyone using the recommendations in this policy (it keeps us out of hot water). You have to include a
complete copy of this license and the warranty disclaimer in any copy you distribute to anybody else. One more thing—we
provided this policy to you free of charge, so you can’t charge other people for access to and/or use of this policy.

2. You may modify any portion of the policy and distribute this new version, as long as you don’t violate the terms of Section 1
and you agree to all of these conditions we’re about to lay out:

• If you change the policy, you have to take credit for (or own up to) your changes with a prominent notice stating what
changed and when.

• If you distribute or publish any part of this policy, or you derive a new policy from it, you have to license the new work(s) for
free too. No matter who you send it to, you can’t charge them a fee for the policy.

• Pay attention to this part because it’s real important: If you change the policy, you have to send a copy of your modifications
to Fortra at [email protected] and you grant Fortra a worldwide, royalty-free irrevocable, perpetual license to use, modify, and
distribute your modifications as part of the policy. We’ll have a look at your submission and decide if we want to include it
in a future release of the policy. No, we’re not going to pay you for it, but yes we will give you named credit as a contributor
(unless you ask us to keep your identity anonymous). Isn’t that what Open Source is all about?

3. You don’t have to accept this license—you haven’t signed anything. It doesn’t even affect you if you’re just reading the policy.
However, nothing else grants you permission to copy, distribute or modify the policy. By definition if you copy, distribute,
modify, or derive works from the policy, you have accepted the license and all of its terms.

4. This policy is licensed free of charge, so there is no warranty, expressed or implied. If you are considering using this policy, we
assume you’re an experienced IBM i professional and are intelligent enough to test any potential impacts of the policy before
you implement any recommendations. You must make up your own mind as to whether the recommendations in this policy
are right for your systems. If you use this policy or its recommendations, you agree that Fortra is not liable for any problems or
damage you may do to your system. If you can’t accept these conditions, don’t use the policy.

About Fortra
Fortra is a cybersecurity company like no other. We’re creating a simpler, stronger future for our
customers. Our trusted experts and portfolio of integrated, scalable solutions bring balance and
control to organizations around the world. We’re the positive changemakers and your relentless ally to
Fortra.com
provide peace of mind through every step of your cybersecurity journey. Learn more at fortra.com.

© Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective owners. (fta-pt-gd-0324-r2-as)