Re: Security Level 40 -- MIDRANGE-L

Cheryl,

After re-reading my note, I saw something that could be
confusing.  The command to display the journal would be:

DSPJRN JRN(QAUDJRN) FROMTIME(030199 000000) JRNCDE((T)) ENTTYP(AF) 

In the data of the Journal entries (at posistion 1) is a one byte
"TYPE" that describes what sort of an authority failure occured. 
That is where you would look for hte B,C,D,R, J, & S codes.

hth,

jte





John Earl wrote:
> 
> Cheryl,
> 
> Cheryl Bisson wrote:
> >
> > Our production box is set to a security level of 30.  My manager wants it 
>at 40.  What are the pros and cons?  Where would I start?
> > Thanks for the help
> > Cheryl Bisson
> > CTG
> 
> Congratulations, you are doing the right thing!
> 
> Your part is really quite easy.  You have to check your system for
> any programs (usually vendor writtten) that violate the level 40
> rules.  Here's a step by step for that part.
> 
> 1) If It's not already activated, turn of the Security Audit
> Journal (QAUDJRN) and monitor for Program Failures
>         CHGSECAUD QAUDCTL(*AUDLVL) QAUDLVL(*PGMFAIL)
> 
> 2) Wait a goodly amount of time so that you can build up some
> history (at least a week, maybe longer).
> 
> 3) Reveiw the journal entries for a program failures that violate
> QSECURITY level '40'.  These would appear in the QAUDJRN journal
> as CODE 'T', and any of the following TYPES:
> 
> B   Restricted instruction use
> C   Validation failure
> D   Object domain or storage protect failure
> R   Hardware protection error
> 
> If any programs generate these types of journal entries, you will
> need to refer to the program's author to get a "fixed" version of
> the program that will operate at QSECURITY level '40'.  At this
> point I'm not aware of a single company that does not have a Level
> '40' compliant version of their software (that doesn't mean that
> none exists.....  list members?)
> 
> You could also receive a one of these two errors:
> 
> J   Submit job profile error
> S   Default sign-on attempt
> 
>   These are simple enough to fix yourself.  If you receive a 'J'
> type, it means that a user is submitting a job and the JOBD they
> are using contains a user profile that the user is not authorised
> to.   At level 30 this will work, but it is blocked at level 40.
> A 'S' type is an indication that a subsystem allows signon without
> using a password.  This is typically used for kiosk, or shared
> terminals, and is unsupported at level '40'.  If you get 'S'
> types, you'll have to fix the subsystem description that allows
> automatic signon.
> 
> There are some other codes that could be generated by the *PGMFAIL
> audit level, but they are not important to Level 40 security.
> 
> Cheryl, this is just an overview.  Refer to the Security Manuals
> to get the straight scoop.
> 
> HTH,
> 
> jte
> 
> >
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator: 
>david@midrange.com
> > +---
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---