Re: Disable QSECOFR?

Per the docs, a disabled QSECOFR can log on the console. Is that not true?
https://www.ibm.com/support/pages/qsecofr-profile-disabled

Thanks


date: Thu, 6 May 2021 14:18:59 -0500

from: <midrangel@xxxxxxxxxxxxxxxxx>
subject: RE: Disable QSECOFR?

It's a great idea until you need QSECOFR to do something on the system

and

all your other high authority profiles are disabled, and the profile you
have does not have sufficient authority.

So you can sign into DST to reset the IBM i QSECOFR profile, but damn

that

just got disabled too. Now you don't have ANY high authority profiles to
fix whatever it is that requires high authority. If you can't get one of
those two profiles fixed then to recover them you must reload the system
(entirely) from tape.

Yea, great idea. (OK I'm a bit snarky here but at some point you gotta
wonder who am I protecting?)

Yes long passwords
Yes restrict devices
Monitor security logs to look for attempts to hack it
Make DANG sure you have a profile (no Q in first position) that is a back
up
that is as heavily protected/restricted.
Disabled, not on my systems.

--
Jim Oberholtzer
Agile Technology Architects

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related
questions.

Help support midrange.com by shopping at amazon.com with our affiliate
link: https://amazon.midrange.com