× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2008

RE: QSECOFR was: Anti-virus for i5OS

First off *ALLOBJ does not give you the ability to create or change
profiles. Secondly if a programmer did create a temporary profile to do
such devious work, the special owner profile for the packaged
application would be logged. If the programmer deleted the logs, the
recreated logs would show that. Hmmm food for thought. Oh and SST
profiles are completely different than user profiles. Even as QSECOFR,
you still have to log in to SST. You can prevent some of the issues you
mentioned with security setting in SST.



Chris Bipes
Director of Information Services
CrossCheck, Inc.


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of ALopez@xxxxxxxxxx
Sent: Wednesday, April 02, 2008 7:56 AM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: QSECOFR was: Anti-virus for i5OS

The Point:

You can Audit that profiles activity. If the profile cannot logon.
Password *NONE initial menu *SIGNOFF and only the specific package
uses the profile, you will pass any security audit. If QSECOFR owns
it, well there goes your accountability.

It goes out the window for the user with *ALLOBJ as well, in that case.
The programs running under a profile with *ALLOBJ can create another
profile to duplicate QSECOFR, change the sysvals for auditing, etc.

The only fix is to change the value in SST for "Allow system value
security changes":

When set to Yes, CHGSYSVAL can be used to change the following
security-related system values.
QALWJOBITP QCRTOBJAUD QPWDLMTCHR
QALWOBJRST QDEVRCYACN QPWDLMTREP
QALWUSRDMN QDSCJOBITV QPWDLVL
QAUDCTL QDSPSGNINF QPWDMAXLEN
QAUDENACN QFRCCVNRST QPWDMINLEN
QAUDFRCLVL QINACTMSGQ QPWDPOSDIF
QAUDLVL QLMTDEVSSN QPWDRQDDGT
QAUDLVL2 QLMTSECOFR QPWDRQDDIF
QAUTOCFG QMAXSGNACN QPWDVLDPGM
QAUTORMT QMAXSIGN QRETSVRSEC
QAUTOVRT QPWDEXPITV QRMTSIGN
QCRTAUT QPWDLMTAJC QRMTSRVATR
QSCANFS QSECURITY QUSEADPAUT
QSCANFSCTL QSHRMEMCTL QVFYOBJRST

When set to No, CHGSYSVAL will not allow these system values to change
and send message CPF18C0.

<Poof>. You magically pass your security audit. Just don't give the
SST password for QSECOFR out.

Again, *ALLOBJ is QSECOFR with thirty second's work. If we are worried
about what programs that are owned by QSECOFR will do, we do not escape
the problem by making another profile with *ALLOBJ the owner. We just
cause the programmers in question to add one CL command:
CHGUSRPRF USRPRF(LOPEZ) SPCAUT(*ALLOBJ *IOSYSCFG *AUDIT *ETC). They can
re-enable the profile, give it a default password, and do anything that
QSECOFR could do.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.