Contributed July 16, 2001 by Karen R Bogner (Bogner.Karen@mayo.

edu)

AS/400 Logical Security

Obtain List of System Values WRKSYSSVAL *PRINT

Review the system values to ensure the default security values are properly set

Inquire if the dedicated service tools (DST) passwords have been changed and secured
(where and who knows). If known or not changed, a user could change the QSECOFR
password. Default passwords are QSECOFR, 11111111, or 22222222.
Is use monitored and logged?

Display all users on the system by user and group profiles Obtain DSPAUTUSR
(*PRINT)

a) Review password last change date and last sign-on date for profiles never used or not
used in over one month. (Ensure no passwords are default passwords and review process
to monitor passwords never changed.)

b) Group profiles should have PASSWORD (*NONE) to ensure job accountability - verify
by exception for all group profiles.

c) Review profiles that adopt QSECOFR as a group for necessity.

d) For the 20 IBM supplied standard ID's, verify that passwords have been set to *NONE
to prevent sign-on (changed for QSECOFR and QSYSOPR).

QLPAUTO QLPINSTALL QSPL QRJE QFNC QGATE QPGMR QSRVBAS QSRV

QSYS QDOC QDBSHR QDFTOWN QUSER QSPLJOB QSNADS QDSNX

From the user profile query, review users and groups for the following attributes:

a) Review all assigned the (QSECOFR) profile for

Appropriateness. If QSECOFR is used as a group profile, use the DSPAUTUSR
command, sorted by group, to determine group profile members. Evaluate the propriety of
each user assigned to the group.

b) Allocation of special authorities

(*ALLOBJ,*SECADM,*SAVSYS,*JOBCTL,*SERVICE,*SPLCTL, AND *AUDIT) Evaluate
the propriety of each user assigned any of these authorities.

c) Use of LMTCPB(*NO) and LMTCPB (*Partial). End users should be restricted to

LMTCPB*YES
 Note: Users that have LMTCPB(*Partial) need to be reviewed for necessity. Partial
allows use of system commands, but restrict the user from changing their initial program
and menu at the sign-on screen . Users do have the ability to change the initial menu via
the change profile command (CHGPRF).

d) See additional procedures

e) Use of ATNPGM parameter (overrides QATNPGM-Attention-key parameter) and

LMTDEVSSN parameter (overrides QLMTDEVSSN allowing sign-on on more than one
workstation) parameters that override the system values and appropriate use of initial
menu / initial program to restrict end users to specific menus (Should be set to *SYSVAL)

f) Obtain a list of new hires and terminations during the past year from personnel -
verify a sample of 5 new hires were granted appropriate access according to their job
function and approved by management. Verify terminated employees have been disabled
or deleted from the system.

Review the menu structure in place and how users are authorized access to programs and
data as follows:
a) Use IBM menus or a menuing program?
b) Does the menu program use the AS/400 user profile?
c) Has the menu structure been properly implemented to eliminate user exits off the
menu?
d) Has the attention key program been disabled?

If a user has an initial program, *SIGNOFF should be used as the initial menu user profile
parameter. This will take the user back to the sign on screen when they back out of the
application (initial program) they are in versus going to a system menu and command line
access. This is an effective way to ensure users only perform functions assigned to them.

Obtain the All Authorization Lists used-WRKAUTL. If used, review a sample of authority
lists and privileges. Ensure object management and existence rights are minimized

Obtain a list of programs that adopt the QSECOFR profile. Use DSPPGMADP
USRPRF(QSECOFR).

Review a sample of programs that adopt (DSPPGMADP) user profiles with critical special
authorities, (*ALLOBJ or *SECADM). Ensure propriety of programs - look for programs
written by the client that are interactive, batch pgms are of less risk. Verify adopting
programs prevent the user from excess functions; for example, command entry while
running under the adopted profile. Inspect adopting programs with the security officer to
prevent the user of the program from excess functions.

Review Authority Holders if used. Run DSPAUTHLR to determine if any exist. If found
determine purpose
determine purpose

Review a sample of job descriptions with *PUBLIC authority that do not specify
USER(*RQD) for appropriateness. For job descriptions that reference another user profile,
verify public and individual access to the referenced user profile is restricted (should be
*PUBLIC *EXCLUDE). Otherwise, a user could submit jobs using another, publicly
accessible job description, and execute functions the user is not authorized to perform.
(Only perform this step if security is 30 or lower)

Identify key individuals (all IS staff and any unusual profiles) and review their full profile
information for objects owned and authorized to. Verify rights are appropriate for job
responsibilities. Use DSPUSRPRF USRPRF(userid) TYPE (*ALL) OUTPUT (*PRINT) for
users selected.

Review security monitoring procedures - QAUDJRNL should be monitored regularly for

security exceptions - changing authority, deletions, etc. (used with QAUDLVL).

Review the history log for security violations (only perform if client is not using QAUDLVL &
QAUDJRNL):

DSPLOG LOG(QHST) PERIOD((*AVAIL 010195)(*AVAIL 020195)) MSGID(CPF2200)

and CPF1397 (message for varying off terminals)
*Need to review to determine time frames

Verify access to the system console is restricted as the system console submits all jobs at
priority 10. Determine where key is kept and what setting is used on System Key Lock.
Review the QCONSOLE parameter on the systems value report. Determine that the
console device noted is physically secure. Review the object authority to the device by
using the DSPOBJAUT command to determine the device’s public authority and users
specifically authorized to the device. Evaluate for appropriateness.

Determine which users have access to the command line. Review authorities over
sensitive commands using DSPOJAUT to ensure authorities are appropriate.

Obtain a Complete Library listing- WRKOBJPDM QSYS (F 21 to print) and review for the
following:

a. Review production library access - ensure programmers have only *USE access to
production libraries, files and programs within the libraries. Ensure access to libraries is
based upon need. Review policy regarding access. If access is not restricted at the library
level-use the Display Object Authority command and determine whether public authority
access (PUBAUT) at database or code file level is *EXCLUDE and individual accesses
allowed are appropriate.
allowed are appropriate.

b. Review the QGPL library -IBM supplied dumping ground. Review who has access to
this library. Productive programs or data should not exist in this library.

c. Verify access to IBM supplied libraries has been restricted to read or exclude access.

Review policies and procedures for backup and off-site storage of program and data files.
Assess adequacy.

Review change management processes at a high level to determine potential security

issues as they relate to AS 400 operating systems.