Loyd,
Just to add to a few things already mentioned to help your auditing firm
understand what you can do to watch Q* profiles (specifically QSECOFR),
since it is not possible to rename or delete them.
*/Non Sales Portion/*
- Do not use QSECOFR unless it is absolutely necessary. Use another profile
with *SECOFR and *ALLOBJ instead.
- Change Sign-on screen messages to not tell a user that USER PROFILE X is
disabled, does not exist or that the password is incorrect.
- Disable QSECOFR: this will prevent anyone from using QSECOFR to try to
sign on except at the console. You can also re-enable it with another
profile that has *SECOFR authority.
- Monitor QSECOFR, and other Q* profiles, with the Audit Journal
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp?topic=/rzamv
/rzamvauditsecofraction.htm
There are some really good articles out there on iSeries security
recommendations that may help you justify why things are different on this
platform than Windows.
*/NON Sales Portion/*
*/Sales Portion/*
- It is a really good idea to monitor QHST with a message queue monitoring
software that can send you alerts if QSECOFR attempts to sign on.
- Also exit point programs are a great way to monitor and control those
other areas that Q* PROFILES (or any other profiles) can sign on to your
system.
- A good audit tool can also be a huge time saver and be a little more
agreeable with auditors.
*/END SALES PORTION/*
Good luck with training your auditors and with passing your audit.
Matt Graybiel, CISSP
NetIQ Corporation
www.netiq.com
-----Original Message-----
From: lgoodbar@xxxxxxxxxxxxxx [mailto:lgoodbar@xxxxxxxxxxxxxx]
Sent: Wednesday, July 25, 2007 1:24 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Auditing, renaming, deleting IBM profiles
Thanks, Jerry. I was able to test the DLTUSRPRF and RNMOBJ commands and
"prove" system-supplied profiles can't be renamed or removed. In absence
of official documentation, that's conclusive enough.
Loyd Goodbar
Senior programmer/analyst
BorgWarner
TS Water Valley
662-473-5713
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Jerry Adams
Sent: Wednesday, July 25, 2007 11:54
To: Midrange Systems Technical Discussion
Subject: Re: Auditing, renaming, deleting IBM profiles
All of the replies to Loyd's query, while true, do not answer his
question regarding "official IBM documentation" to what we all know.
I searched both the Info Center and the System i site, but couldn't find
any such "document" or even a mention. The closest that I came was in
the Info Center: Changing Known Passwords -
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzamv/rzamvc
hangeknownpwd.htm?
For something more "official," Loyd, you might contact software support
or, better yet, submit a DCR to allow these profiles to be deleted. The
answer will, of course, be "Are you out of your @#$% mind?!" But you
might also get a reasoned reply as to why not. Or a PMR saying you
can't delete or rename them; you'll certainly get faster response than
to a DCR.
* Jerry C. Adams
*IBM System i Programmer/Analyst
B&W Wholesale Distributors, Inc.* *
voice
615.995.7024
fax
615.995.1201
email
jerry@xxxxxxxxxxxxxxx <mailto:jerry@xxxxxxxxxxxxxxx>
Joe Pluta wrote:
From: lgoodbar@xxxxxxxxxxxxxx
Other than "common knowledge" that IBM user profiles should not be
renamed or deleted, is there any official IBM documentation stating
the
fact? We have auditors who want to rename or delete QSECOFR, QUSER,
QSRV, QSRVBAS, QPGMR, QSYSOPR, &c. I found and printed IBM's command
help for DLTUSRPRF that restricts deleting those profiles, but have
not
seen anything on a rename.
Go immediately to your CEO and explain that they have hired the wrong
auditing firm. I am not being funny. If the auditors are seriously
requiring something as rabidly stupid as renaming QSECOFR, I can only
shudder at what other "recommendations" they are making for your
company.
These auditors are dangerous, and you need to get them away from your
mission critical systems as quickly as possible.
Joe
As an Amazon Associate we earn from qualifying purchases.