As 2011 New Years Eve came and went I spent a long time considering what my core personal resolutions should be: Eat Less, Exercise More, Speak Less, Think More.
Obviously I have my slightly more extravagant resolutions which are bound to fail: Take up Aikido, Become a Wine Connoisseur, Learn how to write Android & iPad Apps, Climb a Pyramid, Switch from Cigarettes to Cigars, Learn how to prepare a killer Chilli.
As I think about my new Years resolutions I also ponder what resolutions I should be applying to my professional role as an ‘AS400 Techie’. So here is resolution nbumber one:
Perform a system wide AS400/IBMi Security Cleanup
All of these tasks should be performed on a frequent basis but if your shop is a little more relaxed then maybe these pointers will assist in setting up an annual New Years Security Policy. Traditionally I always find the Christmas and New Years period is an ideal time for these kind of security cleanups – just after year end processing and the system has been fully backed up. Everyone is suffering from Hangovers and too many mince pies.
So lets get onto a list of things to do:
List all the user profiles and clean them up
DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(QTEMP/ALLUSERS)
You can then query the outfile looking for users that have left or changed departments. Users who have changed surnames. Expired passwords. User names that do not confirm to company naming standards. Disable any generic profiles. Change passwords for any system passwords that may not have changed for a long period of time.
Double check any Super Users
Do *ALLOBJ profiles really need that level? Any profiles in a group of QSECOFR or something similar?
Double Check any authority Elevators
Check for any objects that allow users to sneakily adopt a higher system authority level – Use the PRTADPOBJ (Print Adopting Objects) command:
PRTADPOBJ USRPRF(*ALL)
Any Insecure default passwords out there?
Check for any default passwords and make sure these profiles are disabled or conform to your companies authority policy:
ANZDFTPWD
Health Check the System Security Settings
Print your system security settings and compare them against IBM’s recommended values or against that good old thing called ‘common sense’ 🙂
PRTSYSSECA
note: If you are using the iSeries Navigator (is it still called that or it now IBMi Navigator?) you can run the Security Wizard which does the same thing.
Public data is insecure data
Check for sensitive files with *PUBLIC rights. This is a huge exposure in the modern intranet and Internet connected world and I’m continually amazed by the number of companies I work with that have *PUBLIC read rights on all kinds of system files from sensitive payroll to check payment files. Use the Print Publicly Authorised Objects command:
PRTPUBAUT
and on and on…
I have to stop myself here because this list is in danger of growing into a novella. This is just the tip of the iceberg but a sensible starting point for any shop doing a New Years Security Audit. Whatever results you come up with – store them and then Fix them. This gives you a useful metric to compare against next time you run the process.
Good Luck and Secure New Year to you all.