|
Cheryl, After re-reading my note, I saw something that could be confusing. The command to display the journal would be: DSPJRN JRN(QAUDJRN) FROMTIME(030199 000000) JRNCDE((T)) ENTTYP(AF) In the data of the Journal entries (at posistion 1) is a one byte "TYPE" that describes what sort of an authority failure occured. That is where you would look for hte B,C,D,R, J, & S codes. hth, jte John Earl wrote: > > Cheryl, > > Cheryl Bisson wrote: > > > > Our production box is set to a security level of 30. My manager wants it >at 40. What are the pros and cons? Where would I start? > > Thanks for the help > > Cheryl Bisson > > CTG > > Congratulations, you are doing the right thing! > > Your part is really quite easy. You have to check your system for > any programs (usually vendor writtten) that violate the level 40 > rules. Here's a step by step for that part. > > 1) If It's not already activated, turn of the Security Audit > Journal (QAUDJRN) and monitor for Program Failures > CHGSECAUD QAUDCTL(*AUDLVL) QAUDLVL(*PGMFAIL) > > 2) Wait a goodly amount of time so that you can build up some > history (at least a week, maybe longer). > > 3) Reveiw the journal entries for a program failures that violate > QSECURITY level '40'. These would appear in the QAUDJRN journal > as CODE 'T', and any of the following TYPES: > > B Restricted instruction use > C Validation failure > D Object domain or storage protect failure > R Hardware protection error > > If any programs generate these types of journal entries, you will > need to refer to the program's author to get a "fixed" version of > the program that will operate at QSECURITY level '40'. At this > point I'm not aware of a single company that does not have a Level > '40' compliant version of their software (that doesn't mean that > none exists..... list members?) > > You could also receive a one of these two errors: > > J Submit job profile error > S Default sign-on attempt > > These are simple enough to fix yourself. If you receive a 'J' > type, it means that a user is submitting a job and the JOBD they > are using contains a user profile that the user is not authorised > to. At level 30 this will work, but it is blocked at level 40. > A 'S' type is an indication that a subsystem allows signon without > using a password. This is typically used for kiosk, or shared > terminals, and is unsupported at level '40'. If you get 'S' > types, you'll have to fix the subsystem description that allows > automatic signon. > > There are some other codes that could be generated by the *PGMFAIL > audit level, but they are not important to Level 40 security. > > Cheryl, this is just an overview. Refer to the Security Manuals > to get the straight scoop. > > HTH, > > jte > > > > > +--- > > | This is the Midrange System Mailing List! > > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > > | Questions should be directed to the list owner/operator: >david@midrange.com > > +--- > +--- > | This is the Midrange System Mailing List! > | To submit a new message, send your mail to MIDRANGE-L@midrange.com. > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. > | Questions should be directed to the list owner/operator: david@midrange.com > +--- +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.