× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



I respectfully disagree - QSECOFR is disabled on all of my partitions (my
user profile is QSECOFR equivalent) and is only enabled when some lame POS
(piece of software) absolutely must have QSECOFR to install - which is
almost never. Additionally, I have been in many security sessions where it
was specifically recommended to disable QSECOFR.

Additionally, QPGMR,QSRV, and QSYSOPR are disabled on all partitions. All
other 'Q' profiles are left as shipped unless I have stumbled across some
IBM document that specifically states that they can be disabled.

There are a few Q profiles that simply won't allow you to change them
period and a few that I don't think I would want to disable (such as QTCP,
QLPINSTALL, and QSYS to name a few).

Thanks,

Steve McKay
(205) 585-8424
samckay1@xxxxxxxxx



On Tue, Oct 8, 2019 at 4:21 PM Rob Berendt <rob@xxxxxxxxx> wrote:

Do not disable QSECOFR. So much will fail.
You know how you can adopt programs to run under QSECOFR?
You know how you can use profile swapping to run under QSECOFR?
Well, IBM has some internal methods which are not known to us Muggles
which also run under QSECOFR. I found this out by tapping the audit
journals in an effort to find when high profile users are being used. It
happens so often it will blow your mind.

Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 2505 Dekko Drive
Garrett, IN 46738
Ship to: Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of
iseriesstuff@xxxxxxxxx
Sent: Tuesday, October 8, 2019 1:15 PM
To: 'Midrange Systems Technical Discussion' <midrange-l@xxxxxxxxxxxxxxxxxx

Subject: disable all Q* ibm supplied profiles and chaning default passwords

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know
the content is safe.


We are working on PCI compliance stuff. An audit showed some of the ibm
supplied profiles still have default passwords.



I would like to change all default passwords and disable all Q* profiles. I
did create an alternate qsecofr profile with strong user/password naming.



Does anyone see any issues with doing this? I know IBM uses a bunch of
those
profiles for internal stuff.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.