Download - Index of

More documents

Recommendations

Info

user signs on. Program name: specify the name oj the program called. If you log onto a system and you get trapped in the INITIAL PROGRAM you can use the ATTN key to break out. Then using LMTCPB (Limited Capability) parameter you can look for the profiles with the values: *PARTIAL: the initial program and current library values cannot be changed on the sign-on display. But you can change the menu value and you can run commands from the command line oj a menu. *NONE: you can change the program values in your own user profile with the CHGPRF command. If you want to list all libraries on the system, run the command: DSPOBJD OBJ (QSYSI*ALL) OBJTYPE (*LIB) DETAIL (*FULL) If you want to see the contents of any library use: DSPLIB (library name) If you want to know the object authority for a library use: SPOBJAUT OBJ (QSYSllibrary name) OBJ TYPE (*LIB) If you want to know system and user library lists use: DSPSYSVAL (QSYSLIBL) and DSPSYSVAL (QUSRLBL) If you want to know the object authorities of all the security related commands you can use: DSPOBJAUT (QSYS / command) (*CMD) Some of the most important commands are: CRTUSRPRF: create user profile CHGUSRPRF: change user profile DLTUSRPRF: delete user profile If you do not find *EXCLUDE in your authority it is great!! You can use all those commands. Some objects may be protected via authorization lists (as in the old S/36). If you want to know all the authorization lists use: DSPOBJD OBJ (QYSI*ALL) OBJTYPE (*AUTL) And if you want to know the users on each authorization list use: DSPAUTL (n ame oj list) If you want to know the authorities of a specific file or program you should use: DSPOBJAUT (name oJfile) (*FlLE) Jo r files DSPOBJAUT (name oj program) (*PGM) for programs Logs Sometimes the machines are processing too much information and they are a little bit low on hard disk space. The first thing a System Administrator will do is to disable the logs. If you want to extract the history log records relating to security profile changes (to see if your unauthorized activities were logged), use the DSPLOG command: Message ID CPC2I9I isJor deleting a user profile Message ID CPC2204 is Jo r user profile creators Message ID CPC2205 is Jo r changing a user profile OS/400 Release 2 It keeps the security structure levels (1O, 20, 30) as in Release 1 but there are other system values related to security. For example: QA UTOVRT: controls the automatic creation oj virtual device descriptions. QINACTIV: controls the interval in minutes that a workstation is inactive beJore a message is sent to a message queue or that the job at the workstation is automatically ended. Possible values are: *NONE: no time-out validation. '5'- '300 ': specify the intervalJor timeout (in minutes) I am sad to say that Release 2 has also introduced measures to control the user's terminal. For example, to prevent users from having multiple sessions with a single user profile, it is possible to restrict users with * ALLJOB to particular terminals and it enforces a time-out if the terminal is inactive for an extended period: QLMTDEVSSN: controls concurrent device session. Possible values are: 0: a user can sign on at more than one terminal. 1: a user cannot sign on at more than one terminal. But the worst of Release 2 is that it has enhanced the password politics. Let's see it in detail: QPWDDEXPITV: controls the maximum number oj days that a password is valid, that is to say the change frequency. Possible values are: Page 24 2600 Magazine Summer 1995
*NOMAX: the system allows an unlimited number of days. '1 ' - '366 ': a value between 1 and 366 may be specified. QPWDLMTAJC: limits if digits can be next to each other in a new password. Possible values are: '0 ': adjacent numeric digits are allowed in passwords. '1 ': adjacent numeric digits are not allowed in passwords. QPWDLMTCHR: limits the characters that cannot be in a new password. Possible values are: *NONE: there are no restricted characters. character string: up to 10 specific characters may be disallowed. QPWDLMTREP: limits repeating characters in a new password. Possible values are: '0 ': characters can be repeated. '1 ': characters cannot be repeated more than once. PWDMINLEN: controls the minimum number of characters in a password. Possible values may be from 1 to 10. QPWDMAXLEN: controls the maximum number of characters in a password. Possible values may be from 1 to 10. QPWDPOSDIF: controls if each position in a new password must be different fro m the old password. QPWDRQDDGT: controls if a new password is required to have a digit. Possible values are: '0 ': digits are not required in new passwords. '1 ': one or more digits are required in new passwords. QPWDRQDDIF: specifies if the password must be different than the 32 previous passwords. Possible values are: '0 ': can be the same as the previous ones. '1 ': password must not be the same as the previous 32. QPWDVLDPGM: specifies the name of the user-written password approval program. Possible values are: *NONE: no program is used. Program-name: specifY the name of the validation program. Logs If you want to look at the logs, use the command: DSPLOG LOG (QHST) PERIOD ((starttime start-date) (end-time end-date)) MSGID (m essage-identified) OUTP UT (*PRINT). Example of the time and date: ((0000 941229) (0000 941230). The date fo rmat depends on the value of QDATFMT and it may be MMDDYY, DDMMYY or YYMMDD. Messages Identification CPF2207 CPF2216 CPF2228 CPF2234 CPF2269 CPF2294 CPF2295 CPF2296 CPF2297 CPF22A6 CPF22B9 Explanation Not authorized to use object in library. Not authorized to use library. Not authorized to change profile. Password not correct. Sp ecial authority *ALLOBJ required when granting ·SECADM. Initial program value may not be changed. Initial menu value may not be changed. Attention program may not be changed. Current library value may not be changed. User creating an authorization list must have *ADD authority to his user profile. Not authorized to change authorities in authority list. OS/400 Release 3 really do not have experience with this release. This is all the information I was able to collect. We have seen that the verification of the security on the AS/400 is built in at the microcode level. So, it could be bypassed by programs developed in Assembler, C, or even Pascal or with the OST as we have seen. This loophole was removed with the introduction of level 40 security in Release 3 of OS/400. It has also introduced an audit log that contains information about security related events. I do not know more about this release yet. Summer 1995 2600 Magazine Page 25
Page 2 and 3: STAFF Editor-In-Chief Emmanuel Gold
Page 4 and 5: the bernie s. saga It's almost a gi
Page 6 and 7: PIONEERING NEW ANTIVIRAL TECHNOLOGI
Page 8 and 9: PC programs. It's that simple. In t
Page 10 and 11: y Commander Crash So you have this
Page 12 and 13: are all available presently at your
Page 14 and 15: Going back to the main featurelflaw
Page 16 and 17: citibank atm fun by Ice of Spides A
Page 18 and 19: y Mr. Galaxy I run a BBS in Atlanta
Page 20 and 21: I v E by Ray Nonte A call diverter
Page 22 and 23: y Mantis King The AS/400 is widely
Page 26 and 27: I'rom astro.oo1s.temple.edulneltzer
Page 28 and 29: Privacy Concern Dear 2600: Regardin
Page 30 and 31: For clandestine purposes, of course
Page 32 and 33: products which are often inoperable
Page 34 and 35: ly. We ll, NYNEX d�cided they wou
Page 36 and 37: The Scout utilizes an internal NiCa
Page 38 and 39: noteworthy feature is its ability t
Page 40 and 41: wrote a script in Qmodem's script l
Page 42 and 43: Coping \vith Cable Denial 2: by Pro
Page 44 and 45: A). It is a circuit board with a sm
Page 46 and 47: neighborhoods for signal leakage. I
Page 48 and 49: wire. Only $29, 2 kits for $55, 4 f
Page 50 and 51: icy of not doublechecking. Now NYNE
Page 52 and 53: COMMUNICATIONS 802 (1952) VERMONT 5
Page 54: lAST CHANCE NO, WE 'RE NOT RAISING

Download - Index of

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?