AS400 Audit
AS400 Audit
edu)
Review the system values to ensure the default security values are properly set
Inquire if the dedicated service tools (DST) passwords have been changed and secured
(where and who knows). If known or not changed, a user could change the QSECOFR
password. Default passwords are QSECOFR, 11111111, or 22222222.
Is use monitored and logged?
Display all users on the system by user and group profiles Obtain DSPAUTUSR
(*PRINT)
a) Review password last change date and last sign-on date for profiles never used or not
used in over one month. (Ensure no passwords are default passwords and review process
to monitor passwords never changed.)
b) Group profiles should have PASSWORD (*NONE) to ensure job accountability - verify
by exception for all group profiles.
d) For the 20 IBM supplied standard ID's, verify that passwords have been set to *NONE
to prevent sign-on (changed for QSECOFR and QSYSOPR).
From the user profile query, review users and groups for the following attributes:
f) Obtain a list of new hires and terminations during the past year from personnel -
verify a sample of 5 new hires were granted appropriate access according to their job
function and approved by management. Verify terminated employees have been disabled
or deleted from the system.
Review the menu structure in place and how users are authorized access to programs and
data as follows:
a) Use IBM menus or a menuing program?
b) Does the menu program use the AS/400 user profile?
c) Has the menu structure been properly implemented to eliminate user exits off the
menu?
d) Has the attention key program been disabled?
If a user has an initial program, *SIGNOFF should be used as the initial menu user profile
parameter. This will take the user back to the sign on screen when they back out of the
application (initial program) they are in versus going to a system menu and command line
access. This is an effective way to ensure users only perform functions assigned to them.
Obtain the All Authorization Lists used-WRKAUTL. If used, review a sample of authority
lists and privileges. Ensure object management and existence rights are minimized
Obtain a list of programs that adopt the QSECOFR profile. Use DSPPGMADP
USRPRF(QSECOFR).
Review a sample of programs that adopt (DSPPGMADP) user profiles with critical special
authorities, (*ALLOBJ or *SECADM). Ensure propriety of programs - look for programs
written by the client that are interactive, batch pgms are of less risk. Verify adopting
programs prevent the user from excess functions; for example, command entry while
running under the adopted profile. Inspect adopting programs with the security officer to
prevent the user of the program from excess functions.
Review Authority Holders if used. Run DSPAUTHLR to determine if any exist. If found
determine purpose
determine purpose
Review a sample of job descriptions with *PUBLIC authority that do not specify
USER(*RQD) for appropriateness. For job descriptions that reference another user profile,
verify public and individual access to the referenced user profile is restricted (should be
*PUBLIC *EXCLUDE). Otherwise, a user could submit jobs using another, publicly
accessible job description, and execute functions the user is not authorized to perform.
(Only perform this step if security is 30 or lower)
Identify key individuals (all IS staff and any unusual profiles) and review their full profile
information for objects owned and authorized to. Verify rights are appropriate for job
responsibilities. Use DSPUSRPRF USRPRF(userid) TYPE (*ALL) OUTPUT (*PRINT) for
users selected.
Review the history log for security violations (only perform if client is not using QAUDLVL &
QAUDJRNL):
Verify access to the system console is restricted as the system console submits all jobs at
priority 10. Determine where key is kept and what setting is used on System Key Lock.
Review the QCONSOLE parameter on the systems value report. Determine that the
console device noted is physically secure. Review the object authority to the device by
using the DSPOBJAUT command to determine the device’s public authority and users
specifically authorized to the device. Evaluate for appropriateness.
Determine which users have access to the command line. Review authorities over
sensitive commands using DSPOJAUT to ensure authorities are appropriate.
Obtain a Complete Library listing- WRKOBJPDM QSYS (F 21 to print) and review for the
following:
a. Review production library access - ensure programmers have only *USE access to
production libraries, files and programs within the libraries. Ensure access to libraries is
based upon need. Review policy regarding access. If access is not restricted at the library
level-use the Display Object Authority command and determine whether public authority
access (PUBAUT) at database or code file level is *EXCLUDE and individual accesses
allowed are appropriate.
allowed are appropriate.
b. Review the QGPL library -IBM supplied dumping ground. Review who has access to
this library. Productive programs or data should not exist in this library.
c. Verify access to IBM supplied libraries has been restricted to read or exclude access.
Review policies and procedures for backup and off-site storage of program and data files.
Assess adequacy.