Re: Security questions -- MIDRANGE-L

>From John Earl of PowerTech:

1.)  Auditing - make sure you have your security journal on and you review
it - *AUTFAIL, *SECURITY, *SERVICE, *SYSMGT, *DELETE, etc.  We review
profile changes, password failures, security changes, and system control
changes on a daily basis - FYI.  Take a look at the stuff in SECTOOLS for
reporting.

2.)  User and password protection - ensure IBM passwords are all changed.
Ensure you have decent password rules - length, difficulty, reuse,
expiration, etc.

3.)  QSECURITY.  If it's not at 40 get it there.

4.)  User profile theft - JOBD's with users attached, *USE authority to
profiles.

5.)  Unsecured exit programs - WRKSYSVAL, CHGNETA, WRKREGINF, WRKMSGF,
WRKSBSD, ADDPFTRG, CHGCMD.  Restrict access tightly to these.

6.)  Excess use of special authorities - *ALLOBJ, *IOSYSCFG, *JOBCTL,
*SPLCTL.  Review users who have access to these and restrict as tightly as
possible.

7.)  Group profile ownership of objects - Per my earlier point and to
Rob's.  For example, PROGADMIN owns all programs, DATAOWNER owns all the
data, PROGOWNER, owns everything else, PROGADMIN has *CHANGE to the data,
*USE to everything else, most access points (programs) would adopt
PROGADMIN's authority.

8.)  Review *PUBLIC access.  Even if they only have *USE would you want
information published somewhere base on this?

9.)  Menu security - don't rely on it.

10.) Control your network access.  CA/400, NetServer, FTP, DDM, etc.

HTH.

Michael Crump
Saint-Gobain Containers
1509 S. Macedonia Ave.
Muncie, IN  47302
(765)741-7696
(765)741-7012 f
(800)428-8642

Slow email use this:
mailto:mike.crump@xxxxxxxxxxxxxxxx

Fast email that isn't company standard use this:
mailto:mcrump@xxxxxxxxxxxxxxxx






                                                                                
                                                                
                      oliver.wenzel@xxxxxxxxxxxx                                
                                                                
                      ovartis.com                       To:       
midrange-l@xxxxxxxxxxxx                                                       
                                                        cc:                     
                                                                
                      03/20/03 05:05 AM                 bcc:                    
                                                                
                      Please respond to Midrange        Subject:  Security 
questions                                                            
                      Systems Technical                                         
                                                                
                      Discussion                                                
                                                                
                                                                                
                                                                
                                                                                
                                                                



Hello,

we have OS/400 security set up by the book - i.e. basically user has no
rights (limit capabilities *yes) to execute commands etc.
For productive data and objects user only have *read or *use authority.
The used programs belong to the application owner profile
and have adopted authority. System access for users goes through a menu
system.

So, where are the loopholes in this config?

Thanks,

Oliver

This mailing list archive is Copyright 1997-2026 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.