By Rich Loeber
A few years ago, when I passed the age when I thought I might live forever and started maturing (a little), I decided that it would be a good idea to go see my doctor once a year for an annual checkup. It was paid for by insurance and there was just no good reason not to go. That first checkup (after many years of neglect, I might add) turned out OK. The doctor told me a few things that I already knew (loose weight, get more exercise) and generally thought that I was doing OK.
After that first checkup, I got the annual appointment into my schedule and started going faithfully. Then, after we moved up to the mountains of Northern New York, the doctor at our new home came back with a different response to my checkup. He saw some things that didn't look right and wanted to schedule some additional tests. To make a long story short, he found a blocked cardiac artery and we were able to deal with it well before the onset of a heart attack.
What, you ask, does this have to do with computer security on your IBM i system? Just this .... you need to do a full system checkup at least once a year just to see if there are any surprises. I have done dozens of these checkups over the years on systems under my responsibility and I ALWAYS find something that needs attention. If you're responsible for system security, you need to do this, and year end is a good time to be thinking about it. Nobody gets much work done during the last couple of weeks of the year and it's a good time to go tinkering around in your system.
So, what should you include in your checkup? Here's a list of things to start with. It is by no means comprehensive but will probably get you started and lead you into the areas where you need to be concerned:
Check the security settings in your system values using the Print System Security Attributes [PRTSYSSECA] command and reconcile differences on your system from the recommended settings.
List the user profiles on your system and check for employees who have left or changed their job assignment.
Create a database of your user profiles using the DSPUSRPRF command with the *OUTFILE option, then run a series of query reports to search for expired passwords, profiles with *ALLOBJ authority, and so on as appropriate for your installation.
Run the Security Wizard in the IBM i Navigator (Or Access Client Solutsion) and check any differences on your system from the recommendations suggested.
Using the user profile database already created, list your user profiles by group to make sure that the groups are set up as you expect to see them.
Create a database of all *FILE objects on your system using the DSPOBJD command with the *OUTFILE option. Then generate a report using your favorite query tool of new files created since your last audit and make sure that security on these new objects complies with established policies.
Run the Analyze Default Passwords [ANZDFTPWD] command to make sure that no default passwords exist on your system.
Check *FILE objects on your system with *PUBLIC access authority using the Print Publicly Auth Objects [PRTPUBAUT] command. Make sure that the objects with public access all comply with established policies.
Go to the SECTOOLS menu and see if any of the options available can be of specific help to your audit efforts.
Review your backup process and offsite storage arrangements. Do a physical inspection of the offsite location and make sure you can quickly and easily identify and retrieve backup sets.
Due to space constraints, this is not a comprehensive list but is intended to get you started on the audit process. As you go through it, document both what you are doing and your findings. That way, when next year end rolls around, you'll be better prepared for the process and you'll have a baseline to compare your results with. Good luck, and I hope you don't find any clogged arteries!
If you have any questions about this topic, you can reach me at rich at kisco.com, I'll give it my best shot. All email messages will be answered.