MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » May 2014

Re: i5 Security info and training



fixed

I'm ok with the installation of a product requiring a QSECOFR class profile
(though actually requiring QSECOFR is a peeve)

My problem would be one that uses it for day to day jobs which is how I
read Paul's post.

Though I might make an exception for some sort of "system" level tool...but
I'd need a real good explanation of why.

Charles


On Thu, May 1, 2014 at 2:25 PM, <rob@xxxxxxxxx> wrote:

Only one of our developers has a second account that has a high level of
security. And he pretty much reserves it only for helping us run Mimix.
I kept hearing this whining "but what about that emergency middle of the
night call that needs it?". Situation is, it hasn't happened in over 10
years. Sure, there have been late calls, but none, zippo, that just had
to have qsecofr type access.

Honestly, it used to frustrate me to no end that vendors required qsecofr
to install their product. I guess it just works.
OTOH, keep your guard up. We had a vendor that had a program with qsecofr
adopted authority. One line: CALL QCMD. Apparently it was their back
door to talk users through some stuff remotely without having to file a
100 page exception report with the customers security officer on why they
needed qsecofr.
We no longer do business with them.

I sincerely believe that many vendors really tried to get their installs
working as other than QSECOFR, but after this failure, and that failure,
just gave up.
Some of their installs I wonder how they ever get through them.
Hopefully in this age of virtualization they will try their installs on
clean lpars. And not the same old lpar where their owning profile already
existed or whatever.

If your developers keep needing qsecofr access they're doing it wrong.
That's like having first aid equipment down at the bottom of the ski slope
not "just in case" but "we're going to use it at the end of every run".

I realize it get's trickier when you have interfaces between disparate
vendor applications. Heck we got through this and we used to have ERP by
one vendor and accounting by another.

You know what really helps? A good change management package. One that
knows, and can be configured to set up things like: programs that need to
adopt authority, programs and data that have special authorization lists
and stuff set up on them.


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com





From: "Steinmetz, Paul" <PSteinmetz@xxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 05/01/2014 01:31 PM
Subject: RE: i5 Security info and training
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



Thanks everyone for all the links, keep um coming.

Define security - all of what Rob mentioned, plus much more.
The sad thing is some of the things I need to change and fix are denied.
3rd party vendor claims their job(s) must run as QSECOFR, I tested and
made it work in R&D without QSECOFR.
All programmers and all of one of our 3rd party support accounts (100+)
are QSECOFR equivalent and *ALLOBJ.

We have done a lot in the last 2 years.
Convert as many FTP to SFTP via SSH.
Eliminate shared accounts, setup individual service accounts.

Much more to do.
Now that I have my guest LPAR playground setup, I can make and test
security changes, hopefully without breaking anything.

Paul

-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
rob@xxxxxxxxx
Sent: Thursday, May 01, 2014 12:10 PM
To: Midrange Systems Technical Discussion
Subject: RE: i5 Security info and training

What is the definition of security?
- User security?
- Object security?
- Proper security setup of your Domino environment?
- How to implement kerberos?
- Proper http configuration?
- Proper WAS administration?
- How to implement Tivoli Identity Manager?
- How to roll out RCAC in your 7.2 environment (Row and Column Access)?
- Little obscure stuff to set up in TCP/IP?

80% of that would blow away our BOFH.

Basically, what is the OP targeting on?


Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1 Group Dekko Dept 1600 Mail
to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact