The Point:
You can Audit that profiles activity. If the profile cannot logon.
Password *NONE initial menu *SIGNOFF and only the specific package uses
the profile, you will pass any security audit. If QSECOFR owns it, well
there goes your accountability.
It goes out the window for the user with *ALLOBJ as well, in that case.
The programs running under a profile with *ALLOBJ can create another
profile to duplicate QSECOFR, change the sysvals for auditing, etc.
The only fix is to change the value in SST for "Allow system value
security changes":
When set to Yes, CHGSYSVAL can be used to change
the following security-related system values.
QALWJOBITP QCRTOBJAUD QPWDLMTCHR
QALWOBJRST QDEVRCYACN QPWDLMTREP
QALWUSRDMN QDSCJOBITV QPWDLVL
QAUDCTL QDSPSGNINF QPWDMAXLEN
QAUDENACN QFRCCVNRST QPWDMINLEN
QAUDFRCLVL QINACTMSGQ QPWDPOSDIF
QAUDLVL QLMTDEVSSN QPWDRQDDGT
QAUDLVL2 QLMTSECOFR QPWDRQDDIF
QAUTOCFG QMAXSGNACN QPWDVLDPGM
QAUTORMT QMAXSIGN QRETSVRSEC
QAUTOVRT QPWDEXPITV QRMTSIGN
QCRTAUT QPWDLMTAJC QRMTSRVATR
QSCANFS QSECURITY QUSEADPAUT
QSCANFSCTL QSHRMEMCTL QVFYOBJRST
When set to No, CHGSYSVAL will not allow these
system values to change and send message CPF18C0.
<Poof>. You magically pass your security audit. Just don't give the SST
password for QSECOFR out.
Again, *ALLOBJ is QSECOFR with thirty second's work. If we are worried
about what programs that are owned by QSECOFR will do, we do not escape
the problem by making another profile with *ALLOBJ the owner. We just
cause the programmers in question to add one CL command:
CHGUSRPRF USRPRF(LOPEZ) SPCAUT(*ALLOBJ *IOSYSCFG *AUDIT *ETC). They can
re-enable the profile, give it a default password, and do anything that
QSECOFR could do.
midrange.com
