|
From: Ed Fishel <edfishel@us.ibm.com> > > What can IBM do to fix it? Create a new level of system security? > The programs that Leif writes about that can manufacturer pointers or > change themselves to system state are all patched programs. You can improve > the security of your system by preventing patch programs from being > restored onto it. One of the first steps to good security on iSeries is to > only use programs that are created with the trusted translator. except that the bad guys don't play by the rules. There are also other ways to create programs than using the trusted translator. > > Some of my recommendations for best security are: > > 1. Move to the latest release of OS/400. With each new release IBM > continues to improve the security and integrity of the system. Once on the > latest release be sure to install PTFs for security and integrity fixes. sounds like Microsoft's litany.... > > 2. Set the QSECURITY (security level) system value to 40 or 50. doesn't make any difference. My box runs at 50, and I can still do all the bad things. > > 3. Set the QVFYOBJRST (verify object on restore) system value to 3 or > higher to verify the signatures of programs (in V5R1) and commands (in > V5R2) restored onto the system. the presence of signatures it not a guarantee that the program is not malware, only shows you where it came from. > > 4. On V5R2, set the QFRCCVNRST (force conversion on restore) system value > to 6 or 7 to force the retranslation of all restored programs. If the > program was patched this will remove the patches. If the program does not > have observability it will not be restored to the system. this is good advice, except so many programs don't have observability that you might lock things down to hard. > > 6. Let only trusted people use DST/SST. a trusted person may turn into a disgruntled employee at moments notice.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.