RE: QSECOFR was: Anti-virus for i5OS

["Chris Bipes" <chris.bipes@xxxxxxxxxxxxxxx>]

First off *ALLOBJ does not give you the ability to create or change
profiles. Secondly if a programmer did create a temporary profile to do
such devious work, the special owner profile for the packaged
application would be logged.  If the programmer deleted the logs, the
recreated logs would show that.  Hmmm food for thought.  Oh and SST
profiles are completely different than user profiles.  Even as QSECOFR,
you still have to log in to SST.  You can prevent some of the issues you
mentioned with security setting in SST.

 

Chris Bipes
Director of Information Services
CrossCheck, Inc.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of ALopez@xxxxxxxxxx
Sent: Wednesday, April 02, 2008 7:56 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: QSECOFR was: Anti-virus for i5OS

> The Point:

> You can Audit that profiles activity. If the profile cannot logon.
> Password *NONE initial menu *SIGNOFF and only the specific package 
> uses the profile, you will pass any security audit. If QSECOFR owns 
> it, well there goes your accountability.

It goes out the window for the user with *ALLOBJ as well, in that case. 
The programs running under a profile with *ALLOBJ can create another
profile to duplicate QSECOFR, change the sysvals for auditing, etc. 

The only fix is to change the value in SST for "Allow system value
security changes":

When set to Yes, CHGSYSVAL can be used to change the following
security-related system values. 
    QALWJOBITP        QCRTOBJAUD        QPWDLMTCHR 
    QALWOBJRST        QDEVRCYACN        QPWDLMTREP 
    QALWUSRDMN        QDSCJOBITV        QPWDLVL 
    QAUDCTL           QDSPSGNINF        QPWDMAXLEN 
    QAUDENACN         QFRCCVNRST        QPWDMINLEN 
    QAUDFRCLVL        QINACTMSGQ        QPWDPOSDIF 
    QAUDLVL           QLMTDEVSSN        QPWDRQDDGT 
    QAUDLVL2          QLMTSECOFR        QPWDRQDDIF 
    QAUTOCFG          QMAXSGNACN        QPWDVLDPGM 
    QAUTORMT          QMAXSIGN          QRETSVRSEC 
    QAUTOVRT          QPWDEXPITV        QRMTSIGN 
    QCRTAUT           QPWDLMTAJC        QRMTSRVATR 
     QSCANFS           QSECURITY         QUSEADPAUT 
    QSCANFSCTL        QSHRMEMCTL        QVFYOBJRST 
 
When set to No, CHGSYSVAL will not allow these system values to change
and send message CPF18C0. 

<Poof>.  You magically pass your security audit.  Just don't give the
SST password for QSECOFR out. 

Again, *ALLOBJ is QSECOFR with thirty second's work.  If we are worried
about what programs that are owned by QSECOFR will do, we do not escape
the problem by making another profile with *ALLOBJ the owner.  We just
cause the programmers in question to add one CL command:
CHGUSRPRF USRPRF(LOPEZ) SPCAUT(*ALLOBJ *IOSYSCFG *AUDIT *ETC).  They can
re-enable the profile, give it a default password, and do anything that
QSECOFR could do.