× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2005

RE: Sarbanes-Oxley and the AS400

midrange-l-request@xxxxxxxxxxxx wrote:

>   7. Sarbanes-Oxley and the AS400 (Greg Wenzloff)
>
>We are preparing for our audit and the team has requested a list of "new
>users added to the operating system" ... "list should be obtained from the
>operating system based on creation date".
>
>I know that SECTOOLS has several useful reports but I don't see anything
>with a creation date for the user profile.   Does anyone know if that info
>is available from the system?    Thanks.

Greg:

Not much help, I'm afraid.

As others have mentioned, DSPOBJD to an outfile for *USRPRF objects might give 
a file you can query for what you need here. Hard to go into details though. 
Because...

>While I'm typing let me add that they also want a "list of users with
>security access changes". I'm not entirely sure what that means nor how to
>get a report.  
>
>We are at V4R4 and do not have auditing turned on.

...ouch. Without auditing plus various on-going analyses of audit journal 
entries, this is practically impossible. Of course, if you had some kind of 
system administrator application through which all such changes must go and 
which securely logged what was done, then system security audit journaling 
might not be important.

Without an audit trail, it's hard to imagine much that can be done for anything 
resembling "users with security access changes".

And this gets significantly more complex depending on what that phrase means. 
E.g., would that cover any new private authorities granted to users? 
Authorities for groups? Authorization list changes? Or should it be restricted 
to direct changes to special authorities in user profiles? If a library has 
CRTAUT(*CHANGE) and a new object is created there, should that count even 
though it might refer to *PUBLIC rather than particular users?

Interesting stuff, dealing with auditors. Especially if you're unlucky enough 
to get one that knows enough about the system to make a mess. I'm not sure if 
that's worse than one who knows all about some other kind of system and wants 
to know what you're doing to prevent the same kind of vulnerabilities, even 
when they don't exist in a similar form.

I sure hope you'll report back after the audit and fill others in on the 
result. It seems to me we hear more "It's going to happen (an audit)" and not 
enough "After the audit, we've had to..."


Tom Liotta

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com



__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.