2011 New Years Resolution for IBM i Security

AS400

Jan 02

As 2011 New Years Eve came and went I spent a long time considering what my core personal resolutions should be: Eat Less, Exercise More, Speak Less, Think More.

I know these girls have nothing to do with an AS400 but... who cares?

Obviously I have my slightly more extravagant resolutions which are bound to fail: Take up Aikido, Become a Wine Connoisseur, Learn how to write Android & iPad Apps, Climb a Pyramid, Switch from Cigarettes to Cigars, Learn how to prepare a killer Chilli.

As I think about my new Years resolutions I also ponder what resolutions I should be applying to my professional role as an ‘AS400 Techie’. So here is resolution nbumber one:

Perform a system wide AS400/IBMi Security Cleanup

All of these tasks should be performed on a frequent basis but if your shop is a little more relaxed then maybe these pointers will assist in setting up an annual New Years Security Policy. Traditionally I always find the Christmas and New Years period is an ideal time for these kind of security cleanups – just after year end processing and the system has been fully backed up. Everyone is suffering from Hangovers and too many mince pies.

So lets get onto a list of things to do:

List all the user profiles and clean them up

DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) OUTFILE(QTEMP/ALLUSERS)

You can then query the outfile looking for users that have left or changed departments. Users who have changed surnames. Expired passwords. User names that do not confirm to company naming standards. Disable any generic profiles. Change passwords for any system passwords that may not have changed for a long period of time.

Double check any Super Users

Do *ALLOBJ profiles really need that level? Any profiles in a group of QSECOFR or something similar?

Double Check any authority Elevators

Check for any objects that allow users to sneakily adopt a higher system authority level – Use the PRTADPOBJ (Print Adopting Objects) command:

PRTADPOBJ USRPRF(*ALL)

Any Insecure default passwords out there?

Check for any default passwords and make sure these profiles are disabled or conform to your companies authority policy:

ANZDFTPWD

Health Check the System Security Settings

Print your system security settings and compare them against IBM’s recommended values or against that good old thing called ‘common sense’ 🙂

PRTSYSSECA

note: If you are using the iSeries Navigator (is it still called that or it now IBMi Navigator?) you can run the Security Wizard which does the same thing.

Public data is insecure data

Check for sensitive files with *PUBLIC rights. This is a huge exposure in the modern intranet and Internet connected world and I’m continually amazed by the number of companies I work with that have *PUBLIC read rights on all kinds of system files from sensitive payroll to check payment files. Use the Print Publicly Authorised Objects command:

PRTPUBAUT

and on and on…

I have to stop myself here because this list is in danger of growing into a novella. This is just the tip of the iceberg but a sensible starting point for any shop doing a New Years Security Audit. Whatever results you come up with – store them and then Fix them. This gives you a useful metric to compare against next time you run the process.

Good Luck and Secure New Year to you all.

Follow

About the Author

IBM i Software Developer, Digital Dad, AS400 Anarchist, RPG Modernizer, Alpha Nerd and Passionate Eater of Cheese and Biscuits. Nick Litten Dot Com is a mixture of blog posts that can be sometimes serious, frequently playful and probably down-right pointless all in the space of a day. Enjoy your stay, feel free to comment and in the words of the most interesting man in the world: Stay thirsty my friend.