IBM AS400 Security Procedures

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.6 System Utilities

Objective: To ensure that powerful system utilities are adequately

restricted from unauthorized access and use.

The following are powerful system utilities:

SST System Service Tools DST Dedicates Service Tools DFU Data File Utility SEU Source Entry Utility SDA Screen Design Aid PDM Programming Development Manager QUERY Query Language

Procedures:

K.6.1 Determine who has access to the above utilities:

? DSPOBJAUT OBJ(QSYS/STRDFU) OBJTYPE (*CMD).

? DSPOBJAUT OBJ(QSYS/STRSEU) OBJTYPE (*CMD).

? DSPOBJAUT OBJ(QSYS/STRSDA) OBJTYPE (*CMD).

? DSPOBJAUT OBJ(QSYS/STRPDM) OBJTYPE (*CMD).

? DSPOBJAUT OBJ(QSYS/STRQRY) OBJTYPE (*CMD).

Only authorized programmers should have access to these utilities.

E&Y recommendation: *PUBLIC access should be set to *EXCLUDE, not *USE.

SYSTEM SECURITY K/PROG

36

Page 18 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.7 System Commands

Objective: To ensure that powerful system commands are adequately

restricted from unauthorized use.

The following are powerful system commands:

* CRTUSRPRF Create User Profile * CHGUSRPRF Change User Profile * DLTUSRPRF Delete User Profile * RSTUSRPRF Restore User Profile

?? CHGDSTPWD Change Dedicated Service Tool Password

RSTAUT Restore Authority # STRSST System Service Tools ~ CRTAUTHLR Create Authority Holder ? DLTAUTHLR Delete Authority Holder ?? SAVSYS Save the System

~ CHGSYSLIBL Change System Library

CHGSYSVAL Change System Value

* Restricted to the security administrator (QSECADM) and security

officer (QSECOFR) only. PUBLIC access is irrelevant. A user cannot use these commands even if he/she has *ALLOBJ special authority.

# Restricted to the service engineer (OSRV) only. ~ Restricted to the security officer (QSECOFR) only.

? You need the DST security password to change the DST passwords. ? Restricted to *SAVSYS capability holder. ? *PUBLIC should be set to *EXCLUDE.

See the sensitive command object authority matrix.

SYSTEM SECURITY K/PROG

37

Page 19 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.7 System Commands - Cont'd

Procedure:

K.7.1 Review the object authority to the above significant security related

commands:

DSPOBJAUT OBJ(QSYS/cmd) OBJTYPE(*CMD).

Ensure that only authorized personnel may use these commands.

E&Y recommendation: Public authority of these commands should be set at *EXCLUDE.

Command source object contains the source code for all the CL commands and is used to recompile any one or all commands. Only the security officer and users with the *ALLOBJ special authority may access this object. It is not necessary for a user to have access to this object in order to access the CL commands.

SYSTEM SECURITY K/PROG

38

Page 20 of 22

Auditor(s) Assigned Audit Date

Workpaper

Audit Objectives and Procedures Ref. By

________________________________________________________________________________________________________

K.8 System Logs

Objective: To ensure that system access and operational activities are

monitored regularly by appropriate personnel.

Procedures:

K.8.1 Obtain the printed system log, if any, and scrutinize it for evidence of

review (e.g., initials, sign-offs) by appropriate personnel, typically the Systems Administrator or the Security Officer.

Note: Typically, the full system log is not printed because it is too voluminous. They normally review the log on-screen.

The following is a general format of the command to display messages recorded in the history log:

DSPLOG LOG(QHST) PERIOD (start-time start-date) (end-time end-date) MSGID (message-identifier) OUTPUT(*PRINT){of OUTPUT(*)}

Most security messages are in the range CPF2201 to CPF2299. The message number CPF2200 should be entered if all messages in the range is required. For example, CPF2234 means incorrect password. CPF2240 means inadequate authority to object.

K.8.2 Print the \Object Authority\list of the QHST object by the

following command:

DSPOBJAUT OBJ(QHST) OBJTYPE(*MSGQ) OUTPUT(*LIST).

Determine that only the Security Officer has access to the QHST object and that PUBLIC be set to *EXCLUDE.

SYSTEM SECURITY K/PROG

39

Page 21 of 22

联系客服:779662525#qq.com(#替换为@)