Previous Table of Contents Next


COMMENTS

2. What security level has been set for the system? (QSECURITY)
(This variable can be 10, 20, 30, or 40. At setting 10, no password verification is performed, and user profiles are created as the user logs on to the system. At level 20, password verification is performed, but users still have access to every resource on the system. Level 30 enables resource security. Level 40 will cause failures if certain instructions are attempted that could compromise system integrity. Level 40 is recommended only after successful operation at level 30, since level 40 will cause failures that are only logged at level 30.)
3. Have procedures and approvals been defined to authorize users to access the system?
Y/N [These procedures could encompass new hires (adding a profile), job changes (linking a user profile to a different group profile), and separations (changing the user password to *NONE upon separation and removal of the user profile after any objects owned by the user are transferred to another user.)]

COMMENTS

4. User Profile Management

Y/N a. Is each user assigned a unique profile?
Y/N b. Is a new user required to change his/her password at first sign-on? (QPWDEXP)
Y/N c. Do all users change their passwords regularly? (QPWDEXPITV)What is the maximum number of days between password changes?
Y/N d. Are end users of the system confined to menus?
Y/N e. Is there a limit on unsuccessful access attempts (QMAXSIGN)?What is the limit?(Note that in OS/400 Release 2, it is possible to suspend the user profile after a predetermined number of invalid sign-on attempts.)
Y/N f. Are terminal users notified of their last sign-on and the number of invalid sign-on attempts each time they access the system? (QDSPSGNINF)

COMMENTS

Y/N 5. Are inactive user profiles (i.e., no sign-ons for XXX days) automatically revoked?After how many days?

COMMENTS

Y/N 6. Are terminal users limited to one terminal at a time? (QLMTDEVSSN)Restricting users to one terminal session per userid may reduce the sharing of user accounts. System variable QLMTDEVSSN = 1 will restrict users to one session. The default is 0, unlimited. If it is necessary to have a limited number of users that can sign on to multiple sessions, this can be specified in the user profiles for those users, rather than allowing all users to have multiple sessions.

COMMENTS

Y/N 7. Have all user profiles been appropriately assigned to a class: Security Officer (*SECOFR); Security Administrator (*SECADM); Programmer (*PGMR); System Operator (*SYSOPR); or End User (*USER)?
8. Password Syntax—Are the following being used?
Y/N a. Password minimum length (QPWDMINLEN) What length is specified? ___
Y/N b. Restricted characters (QPWDLMTCHR) This can be useful in preventing common words or names by restricting use of vowels. Up to ten characters.
Y/N c. Consecutive digits (QPWDLMTAGC) This can be used to prevent use of phone numbers, birthdays, etc.
Y/N d. Repeated characters (QPWDLMTREP)This can prevent the use of passwords like MMM, 0000, etc.
Y/N e. Required digits (QPWDRQDDGT)This is also directed at preventing the use of common words or names by requiring that at least one digit is required somewhere in the password.
Y/N f. Password reuse (QPWDRQDDIF)This feature will cause the system to record the last 32 passwords used by each user, and prevent any of those 32 from being used again.

COMMENTS

Y/N 9. Are terminal users automatically signed off after a specified period of inactivity? (QINACTITV)
What is the time interval?
System variable QINACTITV can be set from 5 to 300 minutes. It should be set to a reasonable level. Default is *NONE, no time out limit. In addition, the system variable QINACTMSGQ should be set to *ENDJOB. This will end inactive jobs as opposed to simply sending a message to the specified queue. Care should be taken in implementing this technique as it may terminate lengthy interactive jobs.

COMMENTS

Audit Journals

10. Has the security audit function been activated?
This feature provides for logging of the following events in the security auditing journal: programs that use restricted instructions; all programs that access objects using unsupported interfaces; save and restore information; authorization failures; deleted objects; and security related functions. It is very easily enabled by setting system variable QAUDLVL. Default is *NONE. (Reference AS/400 Security Concepts and Planning) These security auditing records are assigned a two-character entry type identifying the nature of the event that was logged. Thus, query software can produce reports by type.
a. How long are the history logs and security auditing journal retained?
b. Are reports produced analyzing the security auditing journal?
Y/N c. Does the security officer review the history log or the auditing journal on a regular basis for attempted sign-on violations and object access violations?
History log messages in the CPF2200 range indicate authorization failures. The security auditing journal (QAUDJRN), if option *AUTFAIL is elected, includes messages with type AF (authority failure) and PW (user ID and password errors).

COMMENTS

Y/N 11. Have the dedicated service tools (DST) passwords been modified since system installation?
Dedicated Service Tools (DST) is a group of service functions used to service the system when the operating system is not running. If these passwords are not changed, it may be possible to gain access to DST. Under DST, the security officer password can be reset to the default; therefore, it is desirable to limit the people who are capable of running DST by changing the DST passwords. DST can be brought up only with the keyswitch in the manual position, during an attended IPL.

COMMENTS

Y/N 12. Has the “operating system install security” been changed to a secure level?
Establishing this security prevents a user with basic authority for DST from installing the operating system. See Chapter 8 of AS/400 Programming: Security Concepts and Planning.


Previous Table of Contents Next