× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2003

Re: Security questions

>From John Earl of PowerTech:

1.)  Auditing - make sure you have your security journal on and you review
it - *AUTFAIL, *SECURITY, *SERVICE, *SYSMGT, *DELETE, etc.  We review
profile changes, password failures, security changes, and system control
changes on a daily basis - FYI.  Take a look at the stuff in SECTOOLS for
reporting.

2.)  User and password protection - ensure IBM passwords are all changed.
Ensure you have decent password rules - length, difficulty, reuse,
expiration, etc.

3.)  QSECURITY.  If it's not at 40 get it there.

4.)  User profile theft - JOBD's with users attached, *USE authority to
profiles.

5.)  Unsecured exit programs - WRKSYSVAL, CHGNETA, WRKREGINF, WRKMSGF,
WRKSBSD, ADDPFTRG, CHGCMD.  Restrict access tightly to these.

6.)  Excess use of special authorities - *ALLOBJ, *IOSYSCFG, *JOBCTL,
*SPLCTL.  Review users who have access to these and restrict as tightly as
possible.

7.)  Group profile ownership of objects - Per my earlier point and to
Rob's.  For example, PROGADMIN owns all programs, DATAOWNER owns all the
data, PROGOWNER, owns everything else, PROGADMIN has *CHANGE to the data,
*USE to everything else, most access points (programs) would adopt
PROGADMIN's authority.

8.)  Review *PUBLIC access.  Even if they only have *USE would you want
information published somewhere base on this?

9.)  Menu security - don't rely on it.

10.) Control your network access.  CA/400, NetServer, FTP, DDM, etc.

HTH.

Michael Crump
Saint-Gobain Containers
1509 S. Macedonia Ave.
Muncie, IN  47302
(765)741-7696
(765)741-7012 f
(800)428-8642

Slow email use this:
mailto:mike.crump@xxxxxxxxxxxxxxxx

Fast email that isn't company standard use this:
mailto:mcrump@xxxxxxxxxxxxxxxx






                                                                                
                                                                
                      oliver.wenzel@xxxxxxxxxxxx                                
                                                                
                      ovartis.com                       To:       
midrange-l@xxxxxxxxxxxx                                                       
                                                        cc:                     
                                                                
                      03/20/03 05:05 AM                 bcc:                    
                                                                
                      Please respond to Midrange        Subject:  Security 
questions                                                            
                      Systems Technical                                         
                                                                
                      Discussion                                                
                                                                
                                                                                
                                                                
                                                                                
                                                                



Hello,

we have OS/400 security set up by the book - i.e. basically user has no
rights (limit capabilities *yes) to execute commands etc.
For productive data and objects user only have *read or *use authority.
The used programs belong to the application owner profile
and have adopted authority. System access for users goes through a menu
system.

So, where are the loopholes in this config?

Thanks,

Oliver

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.