Admin Alert: Giving Auditors What They Want
Published: August 27, 2008
by Joe Hertvik
Many i5/OS administrators hate system audits the way dental patients hate getting their teeth filled: they despise it with all their might, but realize the process might be somewhat healthy and beneficial for their system. This week, I'm going to look at some common system auditor requests for i5/OS configurations and show you how to retrieve that information from a Power i, System i, iSeries, or AS/400 machine.
Your auditor may request a list of all users who use default passwords. Default passwords occur when the user's password is the same as his or her user ID name (i.e., user JOE signs on with the password "JOE"). These passwords are fairly common, because the operating system will assign a default password to any new user ID it creates. For an explanation of the mechanics of default passwords, check out these articles on how default passwords are created and how to change your system to eliminate default passwords.
Default passwords can be controversial because they may be needed under particular circumstances. They can be fairly common in warehouses with a workforce in flux, because it's more difficult to keep up with expired passwords and implement password changes when signing on to a scanner. However, default passwords are also massive security risks because it's easy for hackers or co-workers to sign on using another person's identity and authorities. All of these concerns are why auditors search for them.
To list all users with default passwords, run the following Analyze Default Passwords command (ANZDFTPWD).
ANZDFTPWD creates a QPSECPWD spooled file that lists all the default password users on your system. ANZDFTPWD also has other uses. It can disable all default password user profiles on your system and it can also be used to expire all default passwords. To learn about ANZDFTPWD's other configurations, read this article on dealing with default passwords.
The other cool thing about ANZDFTPWD is that it produces a physical file containing all the information from its QPSECPWD listing. Whenever you run ANZDFTPWD, a complete list of all user profiles with default passwords is copied in the QASECPWD file in the QUSRSYS library. This file can be read in other programs or in an SQL query to gather more information.
Password Configuration Parameter Snapshots
Sometimes an auditor will ask for a snapshot of all of your system's password configuration parameters. This can easily be done with iSeries Navigator (OpsNav). Here are five easy steps for gathering i5/OS password parameters into a single Word document.
- Open a Microsoft Word document.
- Open OpsNav on your PC and follow the Security→Policies→Password Policy node for your target partition. This will show you the Password Policies Properties screen for that partition. This screen has three tabs for General, Validation, and Expiration policies.
- Click on the General tab on the Password Policies Properties window. This shows the system password level being used by your partition. Press the Alt→PrtSc keystroke combination to copy the entire General Password Policies properties window into your Windows clipboard. Alt→PrtSc is handy to use in situations like this because it only copies the window that you are currently working on. It doesn't copy any other background windows that may also be open on your system, the way using the PrtSc key by itself will.
- Go back to Microsoft Word and paste the Password Policies Properties screen from the Windows clipboard into your Word document.
- Repeat steps 3 and 4, copying the Validation and Expiration Policies Windows from OpsNav into your Word document. When all three screens have been copied, save the file and either print it or email it to the auditor.
Querying User Profiles
Your auditors will also be interested in whatever non-essential special authorities are assigned to your user profiles. The easiest way to retrieve and print that information is by creating a user profile information file (UPIF). A UPIF is created as an output from the Display User Profile command (DSPUSRPRF), and it can contain user profile information for an individual user, a set of users, or all users on your system.
UPIFs are easy to build. To create a UPIF file containing user profile information for all users on a system, run the following DSPUSRPRF command.
DSPUSRPRF USRPRF(*ALL) TYPE(*BASIC) OUTPUT(*OUTFILE)
Once this file is created, you can easily extract any user profile information that the auditor requests. In my experience, auditors are usually interested in any user profile that has one of the following user classes or special authorities.
- User class *SECOFR (Security Officer) or *PGMR (Programmer)
- All Objects (*ALLOBJ) or Security Administrator (*SECADM) special authorities
- Users who have command line authority
To retrieve this information from a recently created UPIF, you can either write a special program to read the file, or link the UPIF into a Microsoft Access database and run one of the following three SQL statements to get the information:
1. Run this statement to get all user profiles with a user class equal to *SECOFR or *PGMR.
SELECT * FROM LIB/FILENAME WHERE UPUSCL = '*SECOFR' OR UPUSCL = '*PGMR'
The UPUSCL parameter in this statement is the variable that contains user class information for each user profile record.
2. To retrieve all user profile records that contain *ALLOBJ or *SECADM authority in their profiles, run this SQL statement.
SELECT * FROM LIB/FILENAME WHERE
UPSPAU LIKE '%ALLOBJ%' OR UPSPAU LIKE '%SECADM%'
The UPSPAU field is a list variable that contains all the special authority settings for the user profile.
3. To capture all the user records that have command line authority on the system, run this SQL statement.
SELECT * FROM LIB/FILENAME WHERE UPLTCP = '*NO'
The UPLTCP field contains a simple *YES or *NO value that designates whether or not command line authority should be denied for each user.
The hardest part of using the UPIF is determining which fields in the file represent which parts of a user profile. The simplest way of retrieving field information is to print out a UPIF field map by running the following Display File Field Description (DSPFFD) command.
DSPFFD FILE(LIB/FILENAME) OUTPUT(*PRINT)
As you can see, a UPIF is incredibly valuable to have during a system audit. It can also be recreated anytime by simply running the DSPUSRPRF command listed above. For more information about UPIFs, see this article on the Joys of Creating User Profile Information Files.
Retrieving Authorities for Certain Commands
In addition to requesting information about user profiles, the auditors may be interested in discovering which users have access to critical system commands for working on jobs or the i5/OS job scheduler, including:
- Submit Job command (SBMJOB)
- Release Job command (RLSJOB)
- Change Job command (CHGJOB)
- Add Job Schedule Entry (ADDJOBSCDE) command
All of these commands affect who can run or manipulate jobs on the system, and the auditors will want to see which non-essential users are able to run them. You can print out the list of authorized users and their authority to any particular i5/OS command by running the following Display Object Authority command (DSPOBJAUT) command.
DSPOBJAUT OBJ(command_line) OBJTYPE(*CMD) OUTPUT(*PRINT)
Auditors Want It All...And More
If one thing's certain with auditors, no matter what you give them, they'll want more. But if you know where to look for your information, it will make it easier to update that information when the auditors request changes.
Dealing with Default OS/400 Passwords
Getting Around System i Default Passwords, Part 1
Getting Around System i Default Passwords, Part 2
The Joys of Creating User Profile Information Files