Newsletters   Subscriptions  Forums  Store   Career  Media Kit  About Us  Contact  Search   Home 
Volume 5, Number 4 -- January 25, 2005

CXL Debuts iSeries Security Reporting Tool

by Alex Woodie

English developer CXL unveiled a new software utility this month called AZScan that tells users how security settings have been configured on their OS/400, Unix, or OpenVMS midrange systems. In addition to revealing what the actual security settings are, the sub-$500, PC-based AZScan also provides an explanation of settings and recommends ways to make them more secure.

AZScan is actually three products in one, and a license to AZScan gives users the right to run security scans with any of the individual products, which include AScan (OS/400 V4R4 and later), VScan (for HP/DEC Alpha/VAX systems), and UScan (for 75 different Unix variants). OS/400 shops that don't need the other two products can just ignore them.

The AZScan products are intended to be used periodically, to gauge the relative strength or weakness of a server's security settings. Each time an AZScan product is used, it generates a report that tells users the exact state of their security setting for particular operating systems, and it provides an explanation of the setting and makes recommendations about how to improve it.

Two different types of reports are provided for each product. The zipped Word file and HTML files are basically identical and provide detailed information about every security setting, whereas the "heat map" report generates a numeric score based on how the server rated in the various areas, which are weighted according to the risk they can pose to security.

The HTML and Word reports make liberal use of color-coding that tells administrators which areas of the system are at low, medium, and high risk. For example, if the system is set to disable a user profile after five unsuccessful sign-in attempts, the report will highlight this area of the report in yellow, for medium risk, and recommend that the administrator lower this number to three unsuccessful sign-in attempts before disabling the user profile. There are also numerous charts and graphs for various security-related settings, such as the distribution of authorities among user profiles, the number of days required between password resets, and so forth.

The AScan component checks 53 different security-related settings in OS/400. These are broken down into eight main areas, including system, auditing, system passwords, users, sign-on controls, special authorities, groups, and user passwords. Explanations and recommendations are provided for each of the settings. The UScan component checks 74 security settings on all major (and many minor) Unix operating systems, and VScan checks 89 OpenVMS Versions 7.1 through 7.3.

Setting up AScan to run is a matter of copying two files from an OS/400 server, including the System Profile file and the User Profile file, onto the PC equipped with AScan. (The techniques for other operating systems are similar.) Both of these files can be generated using fairly simple commands provided by the vendor. Setup and use of the AScan, VScan, and UScan products is handled through a fourth component of AZScan, called the Controller.

Proficient administrators can get the same information gathered by AZScan without spending any money. But AZScan does the grunt work of gathering the data into a single report, and does a good job of generating colorful and insightful reports that are easier to digest, particularly for auditors who may be unfamiliar with the system.

CXL developed AZScan to run on Windows PCs, as opposed to running directly on the host systems, to minimize the impact on the monitored system, says David Robinson, CXL's chief executive. "The main idea behind the tool was to have something which was free standing and remote from the systems it was reviewing so that it could not crash a live system or even affect the performance," he says.

London-based CXL worked with a major U.S. investment firm and an OS/400 security software company in the development of AZScan, Robinson says. "Our aim has been to produce a simple to use product which will find your security issues, explain the implications of these problems, and recommend solutions. All this is done in the context of your security policy and the many regulatory conditions which are now imposed on business," he says.

Although pricing hasn't yet been nailed down, Robinson says a one-year license for AZScan will likely be about $440, with five free "runs," or reviews, which can be used with any of the three products. Additional runs can be bought at about $35 each, or less for bulk purchases. For more information and downloads, go to

Sponsored By

On Sale Now!
The iSeries Express Web Implementer's Guide
by Brian W. Kelly

Setting up WebSphere Express, IBM's business solutions, WebFacing, iSeries Access
for Web, and HATS/LE is a snap with this how-to guide.

WebSphere Express for iSeries is the new free server for all of IBM's iSeries dynamic Web-enabling offerings. Whether your applications are in RPG, COBOL, or Java,
you can now enjoy the benefits of bringing them to the Web.
There's only one small issue: no application can run unless you first have your WebSphere Application Server Express running.

Learn how to order, install, fix, and run all of IBM's Web application enablers for the iSeries, including WebSphere Express Server, Apache HTTP Server, WDSc, WebFacing, IBM Telephone Directory, IBM Survey Creator, iSeries Access for the Web, and HATS/LE.

Sale Price $39 (Regular Price $59)
Sale Ends January 31
Get Your Copy Today!

Shop At the IT Jungle Store

Editor: Alex Woodie
Managing Editor: Shannon Pastore
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.


New Generation Software
Guild Companies
Cosyn Software
WorksRight Software


2005: A SOX Auditor's Odyssey

iSeries Plays a Central Role in MoMA's Expansion

CXL Debuts iSeries Security Reporting Tool

Brooks Launches ExcelliPrint for IPDS Conversion

News Briefs and Product Shorts

The Four Hundred
Oracle Lays Out Plans to Fuse Its Three ERP Suites

ERP Vendors Target PeopleSoft, JDE Bases

IBM Ends 2004 with Most Profitable Quarter in Its History

Four Hundred Guru
Date-Handling in CL Procedures

Extracting Zoned and Packed Decimal Values from Character Fields

Admin Alert: More on Preparing for OS/400 V5R1 to V5R3 Upgrades

Four Hundred Monitor

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc. (formerly Midrange Server), 50 Park Terrace East, Suite 8F, New York, NY 10034
Privacy Statement