Monitoring IBM i system values

System values are so critical to how a system operates that keeping an inventory of their authorized settings should be an important part of your security plan.

To do this manually, run a complete listing of the current system values using the Work with System Value (WRKSYSVAL) command with the output parameter directed to a print spool file. This report will show you all of the system values on your system along with the current value, the value as it was shipped from the factory and a description of the value. Keep this file for future reference.

While you're at it, take a look at those values that are different from the factory defaults on your system and make sure you understand why the changes have been made. Those system values that are different are identified by a > character on the report between the system value and the current value setting.

System Values in Nav:

SYSTEM_VALUE_INFO in IBM i SQL services

The SYSTEM_VALUE_INFO view (in Work Management Services) is a list of all current system values:

SELECT * FROM QSYS2.SYSTEM_VALUE_INFO

Use WHERE to limit the results. Here we want to see system values that set various maximums:

SELECT * FROM QSYS2.SYSTEM_VALUE_INFO WHERE SYSTEM_VALUE_NAME LIKE '%MAX%'

It's good practive to monitor changes to any system value, but particularly important for items related to security.

Here is a list of all IBM i security system values

Here is a sample query to check out password values:

SELECT * FROM QSYS2.SYSTEM_VALUE_INFO WHERE SYSTEM_VALUE_NAME LIKE '%QPWD%'

Our iEventMonitor product watches system values in real time and send alerts according to rules that you configure. iSecMap automates IBM i security audit and reports on changes to system values among many other parameters.