Admin Alert: Giving Auditors What They Want
August 27, 2008 Joe Hertvik
Many i5/OS administrators hate system audits the way dental patients hate getting their teeth filled: they despise it with all their might, but realize the process might be somewhat healthy and beneficial for their system. This week, I’m going to look at some common system auditor requests for i5/OS configurations and show you how to retrieve that information from a Power i, System i, iSeries, or AS/400 machine.
Your auditor may request a list of all users who use default passwords. Default passwords occur when the user’s password is the same as his or her user ID name (i.e., user JOE signs on with the password “JOE”). These passwords are fairly common, because the operating system will assign a default password to any new user ID it creates. For an explanation of the mechanics of default passwords, check out these articles on how default passwords are created and how to change your system to eliminate default passwords.
Default passwords can be controversial because they may be needed under particular circumstances. They can be fairly common in warehouses with a workforce in flux, because it’s more difficult to keep up with expired passwords and implement password changes when signing on to a scanner. However, default passwords are also massive security risks because it’s easy for hackers or co-workers to sign on using another person’s identity and authorities. All of these concerns are why auditors search for them.
To list all users with default passwords, run the following Analyze Default Passwords command (ANZDFTPWD).
ANZDFTPWD creates a QPSECPWD spooled file that lists all the default password users on your system. ANZDFTPWD also has other uses. It can disable all default password user profiles on your system and it can also be used to expire all default passwords. To learn about ANZDFTPWD’s other configurations, read this article on dealing with default passwords.
The other cool thing about ANZDFTPWD is that it produces a physical file containing all the information from its QPSECPWD listing. Whenever you run ANZDFTPWD, a complete list of all user profiles with default passwords is copied in the QASECPWD file in the QUSRSYS library. This file can be read in other programs or in an SQL query to gather more information.
Password Configuration Parameter Snapshots
Sometimes an auditor will ask for a snapshot of all of your system’s password configuration parameters. This can easily be done with iSeries Navigator (OpsNav). Here are five easy steps for gathering i5/OS password parameters into a single Word document.
Querying User Profiles
Your auditors will also be interested in whatever non-essential special authorities are assigned to your user profiles. The easiest way to retrieve and print that information is by creating a user profile information file (UPIF). A UPIF is created as an output from the Display User Profile command (DSPUSRPRF), and it can contain user profile information for an individual user, a set of users, or all users on your system.
UPIFs are easy to build. To create a UPIF file containing user profile information for all users on a system, run the following DSPUSRPRF command.
DSPUSRPRF USRPRF(*ALL) TYPE(*BASIC) OUTPUT(*OUTFILE) OUTFILE(LIB/FILENAME)
Once this file is created, you can easily extract any user profile information that the auditor requests. In my experience, auditors are usually interested in any user profile that has one of the following user classes or special authorities.
To retrieve this information from a recently created UPIF, you can either write a special program to read the file, or link the UPIF into a Microsoft Access database and run one of the following three SQL statements to get the information:
1. Run this statement to get all user profiles with a user class equal to *SECOFR or *PGMR.
SELECT * FROM LIB/FILENAME WHERE UPUSCL = '*SECOFR' OR UPUSCL = '*PGMR'
The UPUSCL parameter in this statement is the variable that contains user class information for each user profile record.
2. To retrieve all user profile records that contain *ALLOBJ or *SECADM authority in their profiles, run this SQL statement.
SELECT * FROM LIB/FILENAME WHERE UPSPAU LIKE '%ALLOBJ%' OR UPSPAU LIKE '%SECADM%'
The UPSPAU field is a list variable that contains all the special authority settings for the user profile.
3. To capture all the user records that have command line authority on the system, run this SQL statement.
SELECT * FROM LIB/FILENAME WHERE UPLTCP = '*NO'
The UPLTCP field contains a simple *YES or *NO value that designates whether or not command line authority should be denied for each user.
The hardest part of using the UPIF is determining which fields in the file represent which parts of a user profile. The simplest way of retrieving field information is to print out a UPIF field map by running the following Display File Field Description (DSPFFD) command.
DSPFFD FILE(LIB/FILENAME) OUTPUT(*PRINT)
As you can see, a UPIF is incredibly valuable to have during a system audit. It can also be recreated anytime by simply running the DSPUSRPRF command listed above. For more information about UPIFs, see this article on the Joys of Creating User Profile Information Files.
Retrieving Authorities for Certain Commands
In addition to requesting information about user profiles, the auditors may be interested in discovering which users have access to critical system commands for working on jobs or the i5/OS job scheduler, including:
All of these commands affect who can run or manipulate jobs on the system, and the auditors will want to see which non-essential users are able to run them. You can print out the list of authorized users and their authority to any particular i5/OS command by running the following Display Object Authority command (DSPOBJAUT) command.
DSPOBJAUT OBJ(command_line) OBJTYPE(*CMD) OUTPUT(*PRINT)
Auditors Want It All…And More
If one thing’s certain with auditors, no matter what you give them, they’ll want more. But if you know where to look for your information, it will make it easier to update that information when the auditors request changes.