Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.6 System Utilities
Objective: To ensure that powerful system utilities are adequately
restricted from unauthorized access and use.
The following are powerful system utilities:
SST System Service Tools DST Dedicates Service Tools DFU Data File Utility SEU Source Entry Utility SDA Screen Design Aid PDM Programming Development Manager QUERY Query Language
Procedures:
K.6.1 Determine who has access to the above utilities:
? DSPOBJAUT OBJ(QSYS/STRDFU) OBJTYPE (*CMD).
? DSPOBJAUT OBJ(QSYS/STRSEU) OBJTYPE (*CMD).
? DSPOBJAUT OBJ(QSYS/STRSDA) OBJTYPE (*CMD).
? DSPOBJAUT OBJ(QSYS/STRPDM) OBJTYPE (*CMD).
? DSPOBJAUT OBJ(QSYS/STRQRY) OBJTYPE (*CMD).
Only authorized programmers should have access to these utilities.
E&Y recommendation: *PUBLIC access should be set to *EXCLUDE, not *USE.
SYSTEM SECURITY K/PROG
36
Page 18 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.7 System Commands
Objective: To ensure that powerful system commands are adequately
restricted from unauthorized use.
The following are powerful system commands:
* CRTUSRPRF Create User Profile * CHGUSRPRF Change User Profile * DLTUSRPRF Delete User Profile * RSTUSRPRF Restore User Profile
?? CHGDSTPWD Change Dedicated Service Tool Password
RSTAUT Restore Authority # STRSST System Service Tools ~ CRTAUTHLR Create Authority Holder ? DLTAUTHLR Delete Authority Holder ?? SAVSYS Save the System
~ CHGSYSLIBL Change System Library
CHGSYSVAL Change System Value
* Restricted to the security administrator (QSECADM) and security
officer (QSECOFR) only. PUBLIC access is irrelevant. A user cannot use these commands even if he/she has *ALLOBJ special authority.
# Restricted to the service engineer (OSRV) only. ~ Restricted to the security officer (QSECOFR) only.
? You need the DST security password to change the DST passwords. ? Restricted to *SAVSYS capability holder. ? *PUBLIC should be set to *EXCLUDE.
See the sensitive command object authority matrix.
SYSTEM SECURITY K/PROG
37
Page 19 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.7 System Commands - Cont'd
Procedure:
K.7.1 Review the object authority to the above significant security related
commands:
DSPOBJAUT OBJ(QSYS/cmd) OBJTYPE(*CMD).
Ensure that only authorized personnel may use these commands.
E&Y recommendation: Public authority of these commands should be set at *EXCLUDE.
Command source object contains the source code for all the CL commands and is used to recompile any one or all commands. Only the security officer and users with the *ALLOBJ special authority may access this object. It is not necessary for a user to have access to this object in order to access the CL commands.
SYSTEM SECURITY K/PROG
38
Page 20 of 22
Auditor(s) Assigned Audit Date
Workpaper
Audit Objectives and Procedures Ref. By
________________________________________________________________________________________________________
K.8 System Logs
Objective: To ensure that system access and operational activities are
monitored regularly by appropriate personnel.
Procedures:
K.8.1 Obtain the printed system log, if any, and scrutinize it for evidence of
review (e.g., initials, sign-offs) by appropriate personnel, typically the Systems Administrator or the Security Officer.
Note: Typically, the full system log is not printed because it is too voluminous. They normally review the log on-screen.
The following is a general format of the command to display messages recorded in the history log:
DSPLOG LOG(QHST) PERIOD (start-time start-date) (end-time end-date) MSGID (message-identifier) OUTPUT(*PRINT){of OUTPUT(*)}
Most security messages are in the range CPF2201 to CPF2299. The message number CPF2200 should be entered if all messages in the range is required. For example, CPF2234 means incorrect password. CPF2240 means inadequate authority to object.
K.8.2 Print the \Object Authority\list of the QHST object by the
following command:
DSPOBJAUT OBJ(QHST) OBJTYPE(*MSGQ) OUTPUT(*LIST).
Determine that only the Security Officer has access to the QHST object and that PUBLIC be set to *EXCLUDE.
SYSTEM SECURITY K/PROG
39
Page 21 of 22