Admin Alert: Locking Down i5/OS System Security Values
October 14, 2009 Joe Hertvik
This week, I’m demonstrating a technique for protecting your system security setup from unauthorized changes by other i5/OS administrative users. Introduced in i5/OS V5R2 and located inside System Service Tools (SST), there is an operating system configuration that lets you lock down security settings so that no users can change your preset i5/OS security scheme. Here’s how it works.
Why Lock Down Security Changes?
The main reason for shutting down your security scheme is for. . . well, security. Your iSeries, System i, or Power i box may reside in a regulated environment where only one or two security officer users are authorized to make system security changes. By using the Allow System Value Security Change function inside SST, you can ensure that only one security officer user and a backup (if desired) can change your security setup. This can prevent a corrupted insider with the proper authority from manipulating security values to allow unauthorized access. To lock down system security settings, perform the following steps.
By performing this configuration, you can reasonably be assured that your system security values are locked down and only the designated security officers can change them.
How To Lock Down i5/OS System Security Values
Go into SST by executing the Start System Service Tools (STRSST) command. Enter your SST User ID and password when prompted. This brings you to the SST main screen.
Take option 7, Work with System Security. SST will then take you to the Work with System Security screen.
Although this screen contains three options for locking down i5/OS security configurations, today I’m focusing on option 1, Allow System Value Security changes. This value is set to “1=Yes” by default, which allows users with proper authority to change all i5/OS system values dealing with security. You can view and work with these values on the green-screen by running the Work with System Values (WRKSYSVAL) command with the following parameter.
You can also view these values in iSeries Navigator (OpsNav). Unlike the green-screen, the security system values are not grouped in one place in OpsNav. They are located under different grouping names inside the Configuration and Service→System Values node. To view any individual security values, you first have to open up the system value group they belong to. For example, to view your system’s password security policies, click on the Configuration and Service→System Values→Password node and you will see the following screen.
It’s a simple matter to lock down system security values in SST by using the Work with System Security screen shown above. To prevent anyone from changing security settings, all you have to do is change the Allow System Security Values Changes setting from “1=Yes” to “2=No” on the Work with System Security screen.
After this change, all security values will be locked down and no one will be able to change them. If someone tries to change a security value on the green screen, they will get the following message.
Locking down security values also protects changes made through OpsNav. If I try to make the same password security change on the OpsNav Password System Values→Expiration screen, I’ll get the following message.
By locking down security, I can protect my security scheme from accidental or intentional security changes. When I need to make an actual security change, I can simply go back into SST and turn the Allow System Value Security Changes value back on again.
What Security Values Are Locked Down?
When you lock down system security value changes, no user will be able to change system values in the following categories.
Determining Whether Security Values Are Locked Down
If you are unable to change a system security value and you are not sure whether the Allow System Value Security Changes function is turned on or off in SST, IBM offers an easy way to check. Simply type in the Display Security Attributes (DSPSECA) command from a green-screen command line, and the operating system will show you the following display that lists out all the partition’s relevant security values.
This way, you can easily tell whether or not the security settings have been locked down.
About Our Testing Environment
All configurations described in this article were tested on an i5 box running i5/OS V5R4. We also used the iSeries Navigator product that comes with iSeries Access for Windows V5R4. This article has not been tested with the i 6.x operating system, but these techniques may also work with that operating system. The SST Allow System Value Security Change function is only available in i5/OS V5R2 and above.