AS/400 Information Security [Program]
advertisement
IBM AS/400 INFORMATION SECURITY CONTENTS 1. AUDIT PROGRAM 2. APPENDIX A: AS/400 CL (CONTROL LANGUAGE) PROGRAM 3. APPENDIX B: SYSTEM PARAMETERS 4. APPENDIX C: USER PROFILES 5. APPENDIX D: SPECIAL AUTHORITIES 6. APPENDIX E: SECURITY ROLES & RESPONSIBILITIES 7. APPENDIX F: OTHER SECURITY ISSUES IBM AS/400 Information Security Audit Program Page 1 AUDIT PROGRAM Note: The values and parameters can be obtained by running the AS/400 CL (Control Language) Program in Appendix A. A listing of System Parameters is in Appendix B. IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Audit Completion Checklist Y/N · System Values · User Profiles · Resource Security · Adopted Authority · System Utilities · IBM Supplied User Profiles · History Logs and Audit Journals · Network Communications · Physical Security · Other Explanatory Notes: 1. This document "IBM AS/400 Information Security Audit Program" has been prepared as a guide for audit support engagements. IBM AS/400 Information Security Audit Program Page 2 2. This audit program which forms part of the standard CAS workpapers is intended to guide our work on information security in an IBM AS/400 environment. 3. To tailor this audit program for an individual audit engagement, the following should be considered: 4. . The background information on computer hardware, operating software, accounting applications and the computer control structure which have been documented in the "Accounting Process Profile". . Information security controls that have been identified during the risk assessment phase of the audit. These may include controls that address specific identified risks and/or potential-errors. Please note that out of the four EDP general control areas, this audit program addresses information security only. For background information on IBM AS/400 or information on any of the four EDP general control areas, please refer to the booklet "IBM AS/400 Overview and Audit Considerations Guide". IBM AS/400 Information Security Audit Program Page 3 IBM AS/400 – INFORMATION SECURITY Exceptions Date W/P Ref. System Values Y/N Objective To ensure that system values have been set up in a manner which promotes control. Audit Steps . Obtain the system value listing for: Operational Related System Values . . . . QSECURITY QMAXSIGN QINACTITV QLMTDEVSSN Password System Values . . QPWDMINLEN QPWDEXPIRTV Command: DSPSYSVAL (Q.....) OUTPUT (*PRINT) . Review listing for adequacy of the values. Minimum recommended system values are: . . . . . . QSECURITY QMAXSIGN QINACTITV QLMTDEVSSN QPWDEXPIRTV QPWDMINLEN Level 30 3 attempts 45 minutes 1 30 5 IBM AS/400 Information Security Audit Program Page 4 IBM AS/400 Information Security Audit Program Page 5 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. User Profile / Menu Security Y/N Objective To ensure validity of users and proper segregation of duties: . . between User Department (end-user) and EDP within the EDP department Audit Steps . Obtain a summary listing of all users. DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) . Review listing and: . Check validity of users . Ensure that each user has been assigned a unique user profile. . Ensure users have been assigned to the appropriate user class. User classes are: - . . *SECOFR *SECADM *PGMR *SYSOPR *USER Where users have been assigned to a Group profile, ensure that assignment is appropriate eg programmers should not be assigned to a group profile with user class *SECOFR or *SECADM. Select a sample of users from the summary list and print their IBM AS/400 Information Security Audit Program Page 6 user profile: DSPUSRPRF USRPRF (USER-ID) TYPE (*ALL) OUTPUT (*PRINT) IBM AS/400 Information Security Audit Program Page 7 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. User Profiles / Menu Security . Review user profiles selected. Check the following: . . Y/N For end-users (generally these belong to the *USER class) check the following: - an initial program or an initial menu has been implemented. - with an initial program the initial menu should be set at *LOGOUT to ensure the user exits out if this system aborts due to processing problems. - limited Capability is set to *YES (Note: Limited Capability must be set to YES in order for initial menu/program to function effectively) - the initial programs or menus do not give the user access to the Command Line (CL). - users have not been allocated any special authorities. If *JOBCTL has been authorized ensure that users only have access to their own output and job queue. For User profiles, - without initial programs or menus who are not limited capability users with special authorities: - *ALLOBJ *SAVSYS *SECADM IBM AS/400 Information Security Audit Program Page 8 - *SPLCTL *SERVICE *JOBCTL ensure that such access is appropriate. IBM AS/400 Information Security Audit Program Page 9 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Resource Security Y/N Objective To ensure that production data and program files are protected from unauthorized access and modification. Audit Steps . Obtain a listing of all libraries in the system: DSPOBJD OBJ (ALL) OBJTYPE (*LIB) OUTPUT (*PRINT) . . Ensure that: . Production objects are held in a separate library to development objects . Production source modules are held in a separate library to the production executable modules Obtain a listing of objects and authorities for critical libraries (including QSYS, CL programs): DSPOBJAUT OBJ (library-name) OBJTYPE (*LIB) OUTPUT (*PRINT) . Obtain listing of authorities to critical objects (data files, programs - source and executable versions, critical utilities): DSPOBJAUT OBJ (data file name) OBJTYPE (*FILE) OUTPUT (*PRINT) DSPOBJAUT OBJ (program name) OBJTYPE(*PGM) OUTPUT(*PRINT) Note: This may not need to be produced if the site is not IBM AS/400 Information Security Audit Program Page 10 relying on object security or if menu and library security is adequate. IBM AS/400 Information Security Audit Program Page 11 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Resource Security . . Y/N Review authority listings and evaluate the adequacy of profiles allowed access and the level of access. . Ensure that programmers have a maximum right of *READ to production libraries, data files and programs . Ensure that other EDP personnel have the appropriate rights assigned. . Ensure that users with access rights to productions libraries and objects other than *READ are properly authorized by management. . Ensure that production libraries and objects are not owned by programmers or users. If an object has an authorization list, obtain a print out of the list and evaluate adequacy of the profiles allowed and the level of access. IBM AS/400 Information Security Audit Program Page 12 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Adopt Authority Y/N Objective To ensure the validity of programs which adopt the authority of production programs or privileged users. Audit Steps . List all programs that are owned by the QSECOFR and users with special authority *ALLOBJ or *SECADM. DSPPGMADP USRPRF(user-profile-name) OUTPUT(*PRINT) DSPOBJAUT OBJ(library-name/object name) OBJTYPE(*PGM) OUTPUT(*PRINT) Note: These tasks may consume substantial machine resources. It may be advisable to refer to the client's technical support function prior to running these procedures or to run these jobs at a low usage time. . Inspect programs owned by the user or which adopt the owner's authority and ensure that programs do not give the user access to command entry while running under the adopted profile. . Check validity of users who have access to programs that adopt the privileged owner's authority. IBM AS/400 Information Security Audit Program Page 13 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. System Utilities and Commands Y/N Objective To ensure that access over system utilities and security related CL commands is restricted to authorized users. Audit Step . Obtain library and object authority listings to system libraries, utilities and tools including: - SQL DFU AS/400 Query Command: DSPOBJAUT(QIDU) OBJTYPE(*LIB) OUTPUT(*PRINT) DSPOBJAUT(object-name eg DFU) OBJTYPE(eg. *CMD, *PGM, *FILE) OUTPUT(*PRINT) . Obtain object authority listing to critical security related commands including: - PWRDWNSYS VRYCFG WRKUSRPRF CHGPRF SAVSYS WRKSYSSTS - CRTJOBD CHGJOBD STRSST STRSQL IBM AS/400 Information Security Audit Program Page 14 - CRTAUTHLR DLTAUTHLR CRTAUTL DLTAUTL EDTAUTL IBM AS/400 Information Security Audit Program Page 15 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. System Utilities and Commands Y/N Command: DSPOBJAUT (*CMD) . Review above authority listings: . . . Ensure that Public Access is *EXCLUDE Evaluate the appropriateness of access; eg the system operator should be the only user with access to PWRDWNSYS, VRFCRG, SAVSYS and WRKSYSSTS commands. Inquire of the system manager whether users are allowed to access the following system request functions and evaluate adequacy of access: . . . Transfer to alternate Job End previous request Display system operator messages. IBM AS/400 Information Security Audit Program Page 16 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. IBM Supplied Profiles Y/N Objective Ensure that IBM assigned passwords for standard profiles have been changed from the default values. Audit Steps Attempt to sign-on the following IBM Supplied User Profiles using IBM default password (i.e. same as user name): User Name Security Officer Programmer System Operator Workstation User Service Service Basic QSECOFR QPGMR QSYSOPR QUSER QSRV QSRVBAS Verify that the following IBM-supplied user profiles have a password of *NONE to prevent users from signing on with these profiles: QAUTPROF, QBRMS, QDBSHR, QDFTOWN, QDOC, QDSNX, QFNC, QGATE, QLPAUTO, QLPINSTALL, QMSF, QNETSPLF, QNFSANON, QSNADS, QSPL, QSPLJOB, QSYS, QTCP, QTSTRQS. IBM AS/400 Information Security Audit Program Page 17 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. History Logs / Audit Journals Y/N Objective To ensure that security violations are recorded, monitored and followed up on a timely basis. Audit Steps . Review the QAUDLVL system value and evaluate the level of auditing on the system. Valid system values for QAUDLVL are: *NONE *AUTFAIL *DELETE *SAVRST *SECURITY No security events are logged Each authority (object access) failure is logged Each delete operation is logged Each restore operation is logged Logs an entry for each security related function including: . . . Changing object authority Creating, changing, deleting, displaying and restoring user profiles Changing system values . If QAUDLVL is set at NONE, inquire whether the system history log (QHIST) is utilized to monitor security violations. . If hardcopy of logs is not retained, a listing of security messages relating to specific events may be obtained from the system history log: Command: DSPLOG LOG(*QHST) PERIOD((start-time start-date)(endtime end-date)) MSGID(message-id) OUTPUT(*PRINT) IBM AS/400 Information Security Audit Program Page 18 (Security related messages are those with message-id in the CPF22.. range. Refer to IBM's CL programmer's guide.) IBM AS/400 Information Security Audit Program Page 19 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. History Logs / Audit Journals Y/N Or Audit Journal: Command: DSPJRN QAUDJRN. . Discuss security violations with the Security Officer. IBM AS/400 Information Security Audit Program Page 20 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Network / Communications Y/N Objective To ensure that remote access by users is appropriately controlled. Note: The introduction of networks into an organization can expose the organization to potential security problems. Audit Steps . Inquire of the system manager if users have remote access and/or review user profiles to determine which users have remote access. . Assess if access is appropriate. . Check that automatic sign-ons from remote systems are appropriately controlled. DSPSYSVAL(QRMTSIGN) OUTPUT(*PRINT) Valid QRMTSIGN values are: . . . 0 1 2 Remote sign-on is not allowed User is required to sign-on Remote sign-on is allowed including by-pass of sign-on display. Value should not be greater than 1. IBM AS/400 Information Security Audit Program Page 21 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Network / Communications . Y/N Obtain the following network attribute listings to determine if the system processes requests from attached personal computers or another system. DSPNETA (...) OUTPUT(*PRINT) . ... DDMACC To determine how the AS/400 as a remote system process requests from other systems. ... PCSAAC To determine how requests from an attached PC are processed. Review above listing and ensure that requests are processed in a controlled manner. There are three processing options: *REJECT Rejects all PC Support or DDM requests to prevent access. *OBJAUT Uses object authorization support to determine which users have access. *USERWRITTEN Uses userwritten programs to control/restrict PC Support users or DDM access. IBM AS/400 Information Security Audit Program Page 22 IBM AS/400 - INFORMATION SECURITY Exceptions Date W/P Ref. Physical Security Y/N Objective To ensure that the keylock is set to prevent any unauthorized user from performing manual turn off of the system, initial program load, and use of dedicated service tools function. Audit Steps . Check keylock switch and ensure that it is set to a secure position (preferably SECURE or AUTO position). . Ensure that the key is removed from the switch and control over this should be reserved to the System Manager. IBM AS/400 Information Security Audit Program Page 23 Appendix A: AS/400 CL (Control Language) Program The following program was designed to gather security, network, user profile, and command information from the AS/400. An AS/400 programmer should be able to use this code as a template for a CL program to pull audit information from the company’s box. 50 PGM 100 WRKSYSVAL OUTPUT(*PRINT) 200 DSPOBJAUT OBJ(QSYS/QSYS) OBJTYPE(*LIB) OUTPUT(*PRINT) 300 MONMSG MSGID(CPF0000) 400 DSPNETA OUTPUT(*PRINT) 500 ANZDFTPWD ACTION(*NON) 600 DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*LIB) OUTPUT(*PRINT) 700 DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT) 750 /***** CREATE OUTFILE OF USER PROFILE INFORMATION ***************/ 800 DSPUSRPRF USRPRF(*ALL) OUTPUT(*OUTFILE) + 900 OUTFILE(?????/USRPRFS) 950 /****** RUN QUERY (ALREADY CREATED) TO EXTRACT NEEDED + 960 INFORMATION **********/ 1000 RUNQRY QRY(USRPRFS) QRYFILE((USRPRFS)) 1100 DLTF FILE(USRPRFS) 1200 MONMSG MSGID(CPF0000) 1300 DSOBJAUT OBJ(QSYS/CHGNETA) OBJYPE(*CMD) + 1400 OUTPUT(*PRINT) 1500 DSOBJAUT OBJ(QSYS/CHGSYSVAL) OBJYPE(*CMD) + 1600 OUTPUT(*PRINT) 1700 DSOBJAUT OBJ(QSYS/DLTLIB) OBJYPE(*CMD) + 1800 OUTPUT(*PRINT) 1900 DSOBJAUT OBJ(QSYS/CLRLIB) OBJYPE(*CMD) + 2000 OUTPUT(*PRINT) 2100 DSOBJAUT OBJ(QSYS/CRTLIB) OBJYPE(*CMD) + 2200 OUTPUT(*PRINT) 2300 DSOBJAUT OBJ(QSYS/CHGLIB) OBJYPE(*CMD) + 2400 OUTPUT(*PRINT) 2500 DSOBJAUT OBJ(QSYS/DLTF) OBJYPE(*CMD) + IBM AS/400 Information Security Audit Program Page 24 2600 2700 2800 2900 3000 3100 3200 3300 3400 3500 3600 3700 3800 3900 4000 4100 4200 4300 4400 4500 DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT DSOBJAUT OUTPUT(*PRINT) OBJ(QSYS/CLRPFM) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/STRCMNTRC) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/STRSST) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/PWRDWNSYS) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/CRTQMQRY) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/WRKQRY) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/STRDFU) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/CHGDTA) OBJYPE(*CMD) + OUTPUT(*PRINT) OBJ(QSYS/UPDDTA) OBJYPE(*CMD) + OUTPUT(*PRINT) ENDPGM The query should be designed to extract the following fields: User Profile (User ID) Previous sign-on Status Password expiration interval User class Special authority Group profile Owner Supplemental groups Current library Initial program and library IBM AS/400 Information Security Audit Program Page 25 Initial menu and library Limit capabilities Text Display sign-on information Limit device sessions Job description and library Accounting code Object auditing values Action auditing values IBM AS/400 Information Security Audit Program Page 26 APPENDIX B: System Parameters There are a number of global system parameters within the AS/400 system which determine how the system will operate. Included in these are parameters which determine the level of security that will be enforced by the system. Recommended values for the security related parameters are described in detail below. The recommended security parameters are as follows: System Parameter Initial Value Recommended Value Comments Sign-On Related Parameters QDSPSGNIN (Display Sign-On Information) QMAXSNGACN (Action to Take for Failed Sign-On Attempts) QMAXSIGN (Maximum Number of SignOn Attempts) 0 3 5 Password Related Parameters IBM AS/400 Information Security Audit Program 1 If the value is set to 1, the date of last sign-on and previous invalid sign-on attempts are displayed to the user. Users should be instructed to review this information and report any suspected attempts at misuse of their user ID. 3 In the event of too many invalid sign-on attempts, this will disable the user profile as well prevent any more sign-on attempts from that device. The maximum number of invalid sign-on attempts that is allowed is determined by the next parameter. 3 This restricts the number of times a user can incorrectly attempt to sign-on to the system before being disabled. The action taken by the system when this number is exceeded is determined by the preceding parameter. Passwords are the principal means for ensuring that access to the computer system is secure. As such, it is therefore important that adequate controls over passwords are implemented to ensure that they are not easily compromised. The following parameters control passwords used to access the AS/400. Page 27 QPWDEXPITV (Password Expiration Interval) *NOMAX IBM AS/400 Information Security Audit Program 30 to 60 A password change interval of 30 to 60 days is recommended. If a standard change interval has been established for the LAN environment, we recommend that a similar interval be established for the AS/400. Page 28 QPWDLMTAJC (Limit Adjacent Digits in Password) QPWDLMTCHR (Limit Characters in Password) 0 *NONE 1 *NONE This will restrict users from using adjacent digits in a password. By doing so, users will be prevented from using easy to guess passwords such as their birth dates, or social security numbers. This parameter allows one to prevent users from using certain characters in their passwords. It is not considered practical or necessary to restrict the use of certain characters. 0 1 This limits the use of repeating characters within passwords, thus improving the level of password security. For example, users cannot use “AAAAA” as a password. QPWDMAXLEN (Maximum Length of Passwords) 10 10 This limits the length of a password to 10 alphanumeric characters. QPWDMINLEN (Minimum Length of Passwords) 3 5 This forces passwords to a minimum length of 5 alphanumeric characters. QPWDLMTREP (Limit Repeating Characters in Password) QPWDPOSDIF (Limit Password Character Positions) This means characters can be used in the same position from one password to the next. Although a value of 1 would restrict users from using characters in the same position from one password to the next, and therefore enforce greater password security, this is not considered practical. 0 0 QPWDRQDDGT (Require a Digit in the Password) 0 1 This forces users to use at least one digit in their passwords, thereby increasing password complexity. QPWDRQDDIF (Duplicate Password Control) 0 1 This prevents passwords from being reused for 32 generations for a user ID. IBM AS/400 Information Security Audit Program Page 29 Inactive Terminal Parameters The following parameters are used to control whether the system takes action if a display has been signed on but not been used for a specified period time. QINACTITV (Inactive Job TimeOut) The system will automatically log a user off the system after 30 minutes of inactivity. The action that the system will take when the time limit expires is determined by the value of the next parameter. QINACTMSGQ (Inactive Job Message Queue) QDSCJOBITV (Time Interval before Disconnected jobs end) *NONE *DSCJOB 30 *DSCJOB 180 180 When the time limit set by QINACTITV expires, the system will disconnect the inactive job. By disconnecting as opposed to ending the job, the job is only temporarily suspended and will resume when the same user signs on again at the workstation. This parameter determines how long jobs which have been suspended by the system will be maintained before the system automatically ends them. General Security Parameters QLMTDEVSSN (Limit Device Sessions) QLMTSECOFR (Limit Security Officer Device Access) QRMTSIGN (Remote Sign-On) 0 1 This will limit concurrent device sessions for a specific user. Most users should not need more than one session. For users that require multiple sessions, this can be overridden in their user profile. This will allow the security officer to use any device to gain access to the system. 0 0 *VERIFY *FRCSIGNON IBM AS/400 Information Security Audit Program This requires all remote users to sign-on through regular sign-on procedures. A value of *VERIFY, allows users to bypass normal sign-on procedures. Page 30 QSECURITY (Security Level) QAUDLVL (Security Auditing Level) 30 *SECURI TY 30 *SECURITY IBM AS/400 Information Security Audit Program This parameter determines the overall level of security for the AS/400. The following levels are supported: Level 10: The lowest level. Minimal security is enforced. No password is required - users are simply required to enter a user id to access the system. Level 20: At this level, users are required to use passwords, and initial menu/program security can be enforced. However, users still have access to all objects unless specifically restricted from having such access. Level 30: Requires use of a user id and password. At this level, the system automatically prevents users from accessing objects (files, directories, etc) and system resources unless they have been explicitly authorized to do so. This is the recommended setting. Level 40: Similar to Level 30, but programs that attempt to access objects through interfaces that are not supported will fail. This ensures that all security related functions are audited and stored in a log file for review and follow-up. Page 31 APPENDIX C: User Profiles To ensure individual accountability, each authorized user should be assigned a unique user ID and given a unique, confidential password for gaining access to the system. User profiles should be used in combination with group profiles to control user access to programs, data and system resources. User Class The user class determines the default privileged access authorities which are assigned to users. The user class assigned to a user should be based on their particular roles and responsibilities (See Roles and Responsibilities section). The following user classes are available: Security Officer (*SECOFR): This is the highest level of security for the AS/400 and should be restricted to the System Manager, Security Administrator and Backup Security Administrator. Users with this status have access to all resources on the AS/400. Security Administrator (*SECADM): This class is for users who are required to perform security administration tasks such as adding, modifying or deleting user profiles, but do not require all of the privileges given to the Security Officer. Programmer (*PGMR): This class is for programmers only, and allows them privileges which are not usually granted to users, such as the ability to access the command line and use tools such as Query, etc. Operator (*SYSOPR): This class of user is for those persons who need to perform certain computer operations like backing up program and data files, and controlling output queues. Operator privilege should therefore be restricted to the Computer Operations staff. User (*USER): This class is for those persons who require no special authorities. All employees who do not fall into one of the classes above should be assigned to this class. IBM AS/400 Information Security Audit Program Page 32 APPENDIX D: Special Authorities Special authorities allow users to perform certain system functions, such as save/restore functions, job manipulation, spool file manipulation, and user profile administration. They work in conjunction with the User Class as described above. The following special authorities are available: All Object (*ALLOBJ): Users provided with this authority are allowed to access any object on the AS/400 system i.e. they can access everything. This authority should only be granted to users with Security Officer status. Security Administration (*SECADM): Users provided with this authority can add, change and delete users and user profiles. Save System (*SAVSYS): Users provided with this authority can save and restore any AS/400 objects to which they are authorized. Job Control (*JOBCTL): Users provided with this authority can change, display, hold, release, cancel, and clear all jobs on the system. Service (*SERVICE): Users provided with this authority can perform functions with the System Service Tools. These tools provide numerous capabilities including the ability to trace data on communication lines. This capability should only be granted to users with Security Officer status, and to IBM Service personnel on an as needed basis. Spool Control (*SPLCTL): Users with this authority can delete, display, hold or release files owned by other users. None (*NONE): Users with this authority have no access to any of the special authorities described above. The default special authorities assigned by the system are based on the value specified in the User Class parameter. The following table displays the special authorities assigned by default to the various user classes. User IBM AS/400 Information Security Audit Program Special Authorities Page 33 Class *SECOFR *ALLOBJ *SECADM *SAVSYS *JOBCTL *SECADM *SAVSYS *JOBCTL *PGMR *SAVSYS *JOBCTL *SYSOPR *SAVSYS *JOBCTL *SECADM *USER *SERVICE *SPLCTL *NONE (NO SPECIAL AUTHORITIES ARE ASSIGNED) It is recommended that unless absolutely required to perform their duties, users not be granted any special authorities other than those assigned by their user class. For example, a user with a User Class of *PGMR should not be assigned the *SPLCTL special authority, or someone with *USER should not be assigned *JOBCTL authority. Limit Capabilities The Limit Capabilities parameter can be used to prevent users from modifying their current library, attention key program and initial menu and program as well as to limit their ability to execute system commands. Limit Capabilities = *YES is the most restrictive control as it prevents users from changing any of their initial program, menu and library settings as well as restricting them from entering system commands. Limit Capabilities = *PARTIAL allows users to change their initial menu settings as well as run certain system commands. Limit Capabilities = *NO is the least restrictive as the user with this setting can change anything on their sign on screen and run all system commands. The following table displays the recommended limit capability settings for the various classes of users: IBM AS/400 Information Security Audit Program Page 34 USER CLASS *SECOFR *SECADM *PGMR *SYSOPR *USER LIMITED CAPABILITY SETTING *YES *PARTIAL *NO X X X X X Initial Password Expiration The value for the “Set password to expired” field should be set to *YES. This will ensure that users are required to change new passwords immediately and that they are the only persons with knowledge of their passwords. Initial Menu and Initial Program Users should be restricted to the initial program and menus that they require for their job-related responsibilities. By restricting users in this way, they will be forced to operate within the constraints of a predefined menu, and in conjunction with the Limited Capabilities will be prevented from issuing operating system commands. System Value Settings The values of the following security related parameters in the user profiles should be set to *SYSVAL (i.e. they will automatically default to the same value as the parameter established in the System Parameters file): Sign-on attempts not valid Password expiration interval Display sign-on information Limit device sessions Attention program IBM AS/400 Information Security Audit Program Page 35 Default User Profiles There are a number of user profiles which are supplied by IBM with the AS/400 system. The passwords for these profiles is always the same as the user ID and therefore changing these passwords after installation is essential to prevent unauthorized persons from accessing the system. The new passwords should be written down and kept in a sealed envelope which is stored in a secure place. The passwords for the following IBM supplied user profiles should be changed: QSECOFR QSYSOPR QPGMR QUSER QSRV QSRVBAS During system maintenance, it may be necessary to provide the IBM representatives with the passwords to the QSRV and QSRVBAS profiles. It is important that once they have completed their work, the passwords are changed again immediately. The QSECOFR ID should only be used in the event of AS/400 system upgrades or in other cases only if absolutely needed. IBM AS/400 Information Security Audit Program Page 36 APPENDIX E: Security Roles & Responsibilities The following structure for administration and management of the AS/400 security is recommended: System Manager Security Administrator (and Backup System Manager) Backup Security Administrator A brief description of these roles is outlined below: System Manager The System Manager is responsible for overseeing all activities performed on the AS/400 system, including backup, computer operations, performance monitoring, hardware maintenance/upgrades, installation of system software upgrades and security. The System Manager’s responsibilities relating to security include: Setting security policies and procedures for the AS/400 system Determining the appropriate configuration of system parameters which affect security Monitoring the activities of the security administrator, and ensuring that security procedures are being followed IBM AS/400 Information Security Audit Program Page 37 Ensuring that either the Security Administrator or the Backup Security Administrator are present to perform security related tasks Reviewing security violations and determining appropriate action to be taken The System Manager should also be responsible for maintaining the password to the QSECOFR user ID. This ID has access to all system resources and should only be used in an emergency situation. Security Administrator The Security Administrator’s responsibilities include: Assigning unique user IDs and individual passwords to users Controlling accesses to data, programs and resources through maintenance of individual and group user IDs. Resetting lost or forgotten passwords Resetting user IDs and workstations of users who are locked out of the system after too many incorrect sign on attempts Disabling user IDs assigned to employees who are terminated, retired, separated or transferred. Assigning user classes and special authorities (such as *JOBCTL) as authorized by management. Maintaining the passwords for the default IBM supplied user IDs, except for QSECOFR Issuing temporary user IDs and passwords to authorized vendor personnel (e.g. IBM service staff) and ensuring that the passwords are changed or the IDs removed from the system after the vendors have completed their tasks Controlling dial-up access by employees and external vendors and maintaining a log of all dial-up access sessions Monitoring security and reviewing security related audit reports Reporting security violations to the System Manager IBM AS/400 Information Security Audit Program Page 38 Backup Security Administrator The Backup Security Administrator should be trained so that they are able to perform all of the tasks that the Security Administrator performs. The Backup Administrator should only perform security-related tasks when the Security Administrator is unavailable. This will ensure that there is always someone available to perform security-related tasks such as setting up new users and resetting user IDs and passwords. Recommended User Classes The following user classes are recommended for the System Manager, Security Administrator and Backup Security Administrator user IDs. In all cases, it is recommended that they have one user ID to perform their regular job functions and a separate ID which they use to perform system or security related functions. ROLE System Manager Security Administrator USER CLASS *SECOFR *SECADM X X Backup Security X Administrator There should be no reason for any other users to have access to user ID’s with *SECOFR and *SECADM status. If users need user profiles added or changed, they should request the designated security administrator to perform this function. If for some reason, an employee does require access to an ID with *SECOFR, or *SECADM status, they should be granted such access on a temporary basis only. IBM AS/400 Information Security Audit Program Page 39 APPENDIX F: Other Security Issues Access Request Procedures Access request procedures for the AS/400 should be formalized. It is recommended that AS/400 access requests be channeled through the application support supervisors. That is, all requests for AS/400 access would first be sent to them and they, in turn, would request the AS/400 Security Administrator to create or change a user profile on the AS/400. Users should request access to a particular application from the appropriate application support supervisor. If the application support supervisor approves the access request, they should send an E-mail to the Security Administrator requesting an AS/400 user ID. Upon receiving the E-mail, the Security Administrator should create the user profile and then send an E-mail back to the application support supervisor confirming that the user profile has been created. Hard copies of the E-mail requests from the application support supervisors should be maintained by the Security Administrator as evidence of access approval Resetting of User IDs and Passwords In the event that a user forgets their password, or incorrectly attempts to sign on to the AS/400 more than three times and is locked out, they should immediately contact the Security Administrator or his designated backup. The Security Administrator is responsible for verifying that a user who has forgotten their password or is locked out of the system is actually the person they claim to be and not an impostor. In this regard, users should be required to repeat the first four digits of their social security numbers to the Security Administrator as a means of verification. Dial-In Access The AS/400 contains a built-in modem which allows remote access capabilities. Access to the system by employees or outside vendors using this modem should be restricted to those persons authorized by Management. In order to control remote access, the modem should be turned off when not in use, and should only be activated by the Security Administrator. When someone requires access, they should contact the Security Administrator and request that the modem be IBM AS/400 Information Security Audit Program Page 40 activated. If the Security Administrator is satisfied that the person is allowed to access the system via modem, they will activate the modem and allow the person to access the system. The modem should be turned off again by the Security Administrator once the person has completed their task. The Security Administrator should maintain a log of all remote accesses using this modem. The following information should be maintained in the log: Date and time of access Person accessing the system Reason for access User Department Responsibilities Responsibilities of the user departments should include: Administering and maintaining all application related security Providing user support for application system queries or problems Coordinating and liaison with IS regarding hardware requirements and any other system related issues which affect the application Liaison with application vendors and IS regarding software upgrades and program changes Coordinating with the IS department regarding vendor access to the system Submitting requests for changes and enhancements to the application vendors Maintaining a log of all changes and enhancements requested and implemented Communicating problems to application vendors Participating in user support group meetings. Evaluating user needs for custom reports and developing such reports, either internally or with external assistance Maintaining application system tables and master files Developing, maintaining and enforcing application related policies and procedures IBM AS/400 Information Security Audit Program Page 41
