CXL
©2008 CXL - AScan
|
|
CXL ©2008 CXL - AScan
|
| Report for | Demo |
| Company | |
| Business Unit | |
| Location | |
| System | . |
| Report name | c:\tbxnew-works\reports\myrepa.html |
| Report date | 24-Feb-2008 |
| RISKS |  Low risk |
 Medium risk |
 High risk |
RESULTS | Correct or low impact |
Medium impact |
Major problem |
| 1 | SYSSET | System settings |
 |
| Risk |
| In this section we look at some of the basic system settings which effect the security of the system. |
| 1.1 | QSEC | Security level |
|
|
Risk |
| This is the security level of the system known as QSECURITY and ranges from 10 to 50. Level 10 provides no security protection and is not supported by IBM. Level 50 is used for high security systems and is required for C2 certification. The system requires a password to sign-on and users must have authority to access objects and system resources. Level 40 is the preferred option. |
| Actions |
| Preferred 40, minimum 30 |
| Results |
| Current setting: Level 40 The user must have an active user profile and password to sign-on. The user must have authority specifically granted to them if authority other than 'Public' authority for an object is required. This level provides operating system integrity checks and logging of foreign programs, (e.g., 'viruses'), usage of unsupported interfaces, and restricted system instructions. Security-related exposures that surface at level 40 are usually attributed to lack of familiarity with the AS/400 security features or poor protection schemes that makes security administration difficult. |
| 1.2 | QAUTOC | Auto configuration |
|
|
Risk |
| This parameter should be set to off (0) during normal operation. It can be turned on (1) periodically to automatically configure new devices, but is reset to 'off' once the configuration process is complete. |
| Actions |
| Recommended value 0 |
| Results |
| This is currently set to 1. |
| 1.3 | QAUTOVRT | Auto virtual |
|
|
Risk |
| This value represents the maximum number of virtual devices that can be configured. With automatic configuration active, the actual threshold limit on invalid sign-on attempts ('QMAXSIGN') is increased by the multiple of the value specified in 'QAUTOVRT: to 500 (the default value). The invalid sign-on threshold for sessions using the AS/400 pass-through facility (e.g., personal computers or other AS/400s within the network) is automatically increased to 1500. Allowing automatic configuration of virtual devices in your system increases the likelihood of system break-in via pass-through. |
| Actions |
| Recommended value 0 Automatic virtual device configuration for pass-through sessions should either be eliminated or limited as appropriate. |
| Results |
| This is currently set to 10 |
| 1.4 | QCRTAUT | Default public authority |
|
|
Risk |
| Public authority is given to users who have no specific authority to an object - that is, those who have no specific authority granted for their user profiles, are not on an authorization list that supplies specific authority, or are not part of a group profile with specific authority. Standard values are *ALL, *CHANGE, *USE, or *EXCLUDE o *ALL The user can perform all operations on the object except those limited to the owner or controlled by authorization list management authority o *CHANGE The user can perform all operations on the object except those limited to the owner or controlled by object existence authority and object management authority. o *USE The user can perform basic operations on the object (e.g., opening the file and reading the records and executing the program). o *EXCLUDE The user is specifically denied any access to the object For created objects, the value should be set system-wide to be *USE. If set inappropriately, changes to production objects could take place. |
| Actions |
| Recommended value *EXCLUDE Verify that it has been changed from the default value of *CHANGE to a minimum of *EXCLUDE. |
| Results |
| Correctly set to *EXCLUDE |
| 1.5 | QALWUD | Allow user domain |
|
|
Risk |
| Indicates that all libraries on the system can contain 'user domain objects' (*USRSPC, *USRIDX, and USRQ) |
| Actions |
| Recommended value *ALL |
| Results |
| Correctly set to *ALL |
| 1.6 | QAOR | Allow object restore |
|
|
Risk |
| Determines whether objects that are security-sensitive may be restored to your system. It can be used by individuals to prevent anyone from restoring a system state object or an object that adopts authority. |
| Actions |
| Recommended value *ALL |
| Results |
| Correctly set to *ALL |
| 1.7 | QATNPGM | Attention program |
|
|
Risk |
| This program runs when the Attention key is pressed. A malicious program could be inserted here. The Operational Assistant menu should appear when the attention key is pressed. |
| Actions |
| Recommended value *ASSIST |
| Results |
| Correctly set to *ASSIST |
| 2 | SYSPWDS | System passwords |
|
| Risk |
| This section looks at the security around the password settings for all users defined by the system. Some of these parameters can be amended within each user's individual profile. |
| 2.1 | QPWDLVL | Password level |
|
|
Risk |
| The password level of the system can be set to allow for user profile passwords from 1 through 10 characters or to allow for user profile passwords from 1 through 128 characters. There are four possible values: 0 Short passwords using a limited character set. 1 Short passwords using a limited character set. Disable AS/400 Netserver on Windows 95/98/ME. 2 Long passwords using an unlimited character set. 3 Long passwords using an unlimited character set. Disable AS/400 Netserver on Windows 95/98/ME. Level 2 or 3 cannot be used if other systems are not using release V5R1M0 or above or are set to levels 0 or 1. |
| Actions |
| Consider very carefully before moving to level 2 or 3. Whilst these provide better security with longer passwords, network communication problems could result. |
| Results |
| This is currently set to 0 Short passwords, limited character set. |
| 2.2 | QPWDEXPITV | Password expiration interval |
|
|
Risk |
| This controls the number of days a password is valid and forces passwords to be changed after a given time interval. Users are notified seven days in advance of password expiration. You can set QPWDEXPITV to an expiration interval of between 1 and 366 days, or you can set it to *NOMAX, which specifies that passwords will never expire and users will not be forced to change their passwords. |
| Actions |
| Recommended value 30-90 days The 'QPWDEXPITV' value should be set, at a minimum, to 90 days. At this value, the user is required to change their password every 90 days. Note: This control can be further tailored at the user level via the user profile parameter 'Password Expiration Interval'(PWDEXPITV). For powerful and sensitive user-ids, we recommend that this value should be set to 30 days. If there is no PWDEXPITV value specified for a user profile, the profile will use the QPWDEXPITV system value for its expiration properties. If a user profile has a PWDEXPITV parameter that is different from the QPWDEXPITV system value, the PWDEXPITV parameter will take precedence over QPWDEXXPITV. |
| Results |
| The password expiry interval for 'ordinary' users is 60 days and for 'system' users it is 30 days. This is correctly set to 60 days. |
| 2.3 | QPWDLMTAJC | Password limit adjacent digits |
|
|
Risk |
| Adjacent digits are not allowed in passwords. Used to specify whether adjacent numeric characters are (0) or are not (1) allowed in a password. This option prevents users from using birthdays, telephone numbers, or a sequence of numbers as passwords. |
| Actions |
| Recommended value 1. |
| Results |
| The value is currently set to 0 |
| 2.4 | QPWDLMTCHR | Password limit characters |
|
|
Risk |
| Characters which are not valid on all international keyboard are restricted such as the number sign (#), dollar sign ($), at sign (@), and underscore (_) This option could also be used to prevent users from using specific characters, such as vowels, in a password. Restricting vowels prevents users from forming actual words for their passwords. |
| Actions |
| Recommended value #s@ or some commonly used characters |
| Results |
| Currently set to *NONE - all characters are acceptable in passwords. |
| 2.5 | QPWDLMTREP | Password limit repetition |
|
|
Risk |
| Repeating adjacent characters in passwords are not allowed. This limits repeating characters in a new password, thus eliminating the possibilities of a user having passwords such as, 11111, AAAAA, etc. |
| Actions |
| Recommended value 1. The 'QPWDLMTREP' value should be set '1', so that the same character cannot be repeated more than once in a password. |
| Results |
| Duplicate characters are allowed in passwords but not consecutively. (eg 'ABABABAB' is allowed) |
| 2.6 | QPWDMINLEN | Password minimum length |
|
|
Risk |
| This controls the minimum number of characters in a password, thus eliminating very short passwords that are more easily guessable. |
| Actions |
| Recommended value 6 or higher. The 'QPWDMINLEN' value should ideally be set at 6 to 8 characters for effective password control. |
| Results |
| Correctly set to 6 characters. |
| 2.7 | QPWDMAXLEN | Password maximum length |
|
|
Risk |
| Password can not be longer than x characters in length. The default value is 8. |
| Actions |
| Recommended value 8 to 10. |
| Results |
| Correctly set to 10 |
| 2.8 | QPWDPOSDIF | Password position different |
|
|
Risk |
| New password cannot have characters in the same position as the previous password. This prevents changing just one character from the previous password when a user changes the password. |
| Actions |
| Recommended value 1 |
| Results |
| This is currently set to 0 |
| 2.9 | QPWDRQDDGT | Password does not require digits |
|
|
Risk |
| Designates whether digits are required to be present in every password. It is a good idea to include digits somewhere in the password since this makes it more difficult to guess them. |
| Actions |
| Recommended value 1 |
| Results |
| Correctly set to 1 |
| 2.10 | QPWDRQDDIF | Password required to be different |
|
|
Risk |
| New passwords are required to be different to previous passwords. |
| Actions |
| Recommended value: 1 to 5 This specifies that the new password must be different from between the 10 to 32 previous password values. The 'QPWDDRQDDIF' value should be set to '1', thus requiring that the new password value to be different to the previous value. |
| Results |
| This is currently set to 7 and therefore only 6 previous passwords are checked for duplicates. |
| 2.11 | QPWDVLDPGM | Password validation program |
|
|
Risk |
| A special password validation program is used in addition to or in place of the standard AS/400 logic. If a program is used, the program should not record user passwords or contain hard-coded passwords. |
| Actions |
| Recommended value *NONE |
| Results |
| Correctly set to *NONE |
| 3 | USERS | Users |
|
| Risk |
| In this section we look at the individual user profiles and the various parameters which affect their security settings. |
| 3.1 | UCLASS | User Classes |
|
|
Risk |
| Classes, other than *USER, give default special authorities to users. This can then give them access to system functions which are greater than they need. |
| Actions |
| Examine each user profile and ensure that they are correctly classified according to their job function. Most users should be set to *USER. Do not modify the IBM supplied profiles which begin with Q. |
| Results |
|
| 3.2 | DISPROF | Users with disabled profiles |
|
|
Risk |
| The users shown below have had their profiles disabled and cannot log onto the system. They may have left or changed jobs. |
| Actions |
| Consider deleting these users if they have not been on the system for a long time. Do not delete IBM supplied profiles beginning with Q. |
| Results |
|
| 3.3 | CURLIB | Users current library |
|
|
Risk |
| The current library is searched before the libraries in the user portion of the library list for any objects specified as *LIBL. If the user creates objects and specifies *CURLIB, the objects are put in the current library. The current library is automatically added to the user's library list when the user signs on. The user cannot change the current library if the Limit Capabilities field in the user profile is *YES or *PARTIAL. If objects are created using *CURLIB on a create command, the library QGPL is used as the default current library. |
| Actions |
| Examine each user's current library and ensure that the library is valid and appropriate for their work. |
| Results |
|
| 3.4 | INLPGM | Users initial programs |
|
|
Risk |
| You can specify the name of a program to call when a user signs on. This program runs before the initial menu, if any, is displayed. If the Limit Capabilities field in the user's profile is *YES or *PARTIAL, the user cannot specify an initial program on the Sign On display. Initial programs are used for two main purposes: o To restrict a user to a specific set of functions. o To perform some initial processing, such as opening files or establishing the library list. The initial program is called only if the user's routing program is QCMD or QCL. Parameters cannot be passed to an initial program. If the initial program fails, the user is not able to sign on. |
| Actions |
| Examine each user's initial program and ensure that it is valid and appropriate for their work. |
| Results |
|
| 3.5 | INLMNU | Users initial menu |
|
|
Risk |
| You can specify the name of a menu to be shown when the user signs on. The initial menu is displayed after the user's initial program runs. The initial menu is called only if the user's routing program is QCMD or QCL. If you want the user to run only the initial program, you can specify *SIGNOFF for the initial menu. If the Limit capabilities field in the user's profile is *YES, the user cannot specify a different initial menu on the Sign On display. If a user is allowed to specify an initial menu on the Sign On display, the menu specified overrides the menu in the user profile. Values: MAIN - The AS/400 system Main Menu is shown. *SIGNOFF - The system signs off the user when the initial program completes. Use this to limit users to running a single program. |
| Actions |
| Examine the initial menu of each user and ensure that it exists and is appropriate for their work. |
| Results |
|
| 3.6 | DSPSGNINF | Users display sign-on information |
|
|
Risk |
| The Display Sign-on Information field specifies whether the Sign-on Information display is shown when the user signs on. It is useful to tell a user when their account was last used. Password expiration information is also shown if the password expires within seven days. Possible values are: o *SYSVAL The QDSPSGNINF system value is used. o *NO The Sign-on Information display is not shown when the user signs on. o *YES The Sign-on Information display is shown when the user signs on. |
| Actions |
| Having all users see this display is recommended. Users with special authority or authority to critical objects should be encouraged to use the display to make sure no one attempts to use their profiles. |
| Results |
|
| 3.7 | LMTCPB | Users limit capability |
|
|
Risk |
| You can use the Limit Capabilities field to limit the user's ability to enter commands and to override the initial program, initial menu, current library, and attention-key-handling program specified in the user profile. It also prevents users from experimenting on the system. A user with LMTCPB(*YES)can only run commands that are defined as Allow Limited User(ALWLMTUSR) *YES. These commands are shipped by IBM with ALWLMTUSR(*YES): o Sign off (SIGNOFF) o Send message (SNDMSG) o Display messages (DSPMSG) o Display job (DSPJOB) o Display job log (DSPJOBLOG) o Start PC Organizer (STRPCO) o Work with Messages (WRKMSG) The Limit capabilities field in the user profile and the ALWLMTUSR parameter on commands apply only to commands that are run from the command line, the Command Entry display or an option from a command grouping menu. Users are not restricted from doing the following: o Running commands in CL programs that are running a command as a result of taking an option from a menu o Running remote commands through applications, such as FTP. You can allow the limited capability user to run additional commands, or remove some of these commands from the list, by changing the ALWLMTUSR parameter for a command. If you create your own commands, you can specify the ALWLMTUSR parameter on the Create Command (CRTCMD) command. *Partial allows use of system commands, but restricts the user from changing their initial program and menu at the sign-on screen . Users have the ability to change the initial menu via the change profile command (CHGPRF). Possible values for Limit Capabilities and what functions are allowed for each value. |
| Actions |
| Decide which users should be restricted and ensure that this is the case for the users shown below. |
| Results |
|
| 3.8 | QLMTDEVSSN | Users with limited device sessions |
|
|
Risk |
| The Limit device sessions field controls whether a user can be signed on at more than one workstation at a time. The value does not restrict the use of the System Request menu or a second sign-on from the same device. Possible Values for LMTDEVSSN: *SYSVAL The QLMTDEVSSN system value is used. *NO The user may be signed on to more than one device at the same time. *YES The user may not be signed on to more than one device at the same time. Limiting users to one workstation at a time is one way to discourage sharing user profiles. |
| Actions |
| Set the QLMTDEVSSN system value to 1 (YES). If some users have a requirement to sign on at multiple workstations, use the Limit device sessions field in the user profile for those users. |
| Results |
|
| 3.9 | SPCENV | Users with special environments |
|
|
Risk |
| Special Environment determines the environment the user operates in after signing on. The user can operate in the AS/400, the System/36, or the System/38 environment. When the user signs on, the system uses the routing program and the special environment in the user's profile to determine the user's environment. *SYSVAL The QSPCENV system value is used to determine the environment when the user signs on, if the user's routing program is QCMD. *NONE The user operates in the AS/400 environment. *S36 The user operates in the System/36 environment if the user's routing program is QCMD. |
| Actions |
| Review all users shown below and ensure that they are all working in appropriate environments. |
| Results |
|
| 4 | SPAUTHORTY | Special Authorities |
|
| Risk |
| Special Authorities give users special access to a number of important system functions. |
| 4.1 | ALLOBJ | Users with all objects authority |
|
|
Risk |
| All-object special authority allows the user to access any resource on the system whether or not private authority exists for the user. Even if the user has *EXCLUDE authority to an object, *ALLOBJ special authority still allows the user to access the object. The user can view, change, or delete any object. The user can also grant to other users the authority to use objects. A user with *ALLOBJ authority cannot directly perform operations that require another special authority. For example, *ALLOBJ special authority does not allow a user to create another user profile, because creating user profiles requires *SECADM special authority. However, a user with *ALLOBJ special authority can submit a batch job to run using a profile that has the needed special authority. Giving *ALLOBJ special authority essentially gives a user access to all functions on the system. |
| Actions |
| Only qualified users should have this special authority. |
| Results |
|
| 4.2 | SECADM | Users with security administration authority |
|
|
Risk |
| Security administrator (*SECADM) special authority allows a user to create, change, and delete user profiles. A user with *SECADM special authority can: o Add users to the system distribution directory. o Display authority for documents or folders. o Add and remove access codes to the system. o Give and remove a user's access code authority. o Give and remove permission for users to work on another user's behalf. o Delete documents and folders. o Delete document lists. o Change distribution lists created by other users. Only a user with *SECADM and *ALLOBJ special authority can give *SECADM special authority to another user. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.3 | JOBCTL | Users with job control authority |
|
|
Risk |
| Job control (*JOBCTL) special authority allows the user to: o Change, delete, hold, and release all files on any output queues specified as OPRCTL(*YES). o Display, send, and copy all files on any output queues specified as DSPDTA(*YES or *NO) and OPRCTL(*YES). o Hold, release, and clear job queues specified as OPRCTL(*YES). o Hold, release, and clear output queues specified as OPRCTL(*YES). o Hold, release, change, and cancel other users' jobs. o Start, change, end, hold, and release writers, if the output queue is specified as OPRCTL(*YES). o Change the running attributes of a job, such as the printer for a job. o Stop subsystems. o Perform an initial program load (IPL). You can change the job priority (JOBPTY) and the output priority (OUTPTY) of your own job without job control special authority. You must have *JOBCTL special authority to change the run priority (RUNPTY) of your own job. Changes to the output priority and job priority of a job are limited by the priority limit (PTYLMT) in the profile of the user making the change. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.4 | SPLCTL | Users with spool control Authority |
|
|
Risk |
| The user with *SPLCTL special authority can perform any operation on any spooled file in the system. Confidential spooled files cannot be protected from a user with *SPLCTL special authority. Spool control special authority allows the user to perform all spool control functions, such as changing, deleting, displaying, holding and releasing spooled files. The user can perform these functions on all output queues, regardless of any authorities for the output queue or the OPRCTL parameter for the output queue. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.5 | SAVSYS | Users with save system authority |
|
|
Risk |
| Save system (*SAVSYS) special authority gives the user the authority to save, restore, and free storage for all objects on the system, whether or not the user has object existence authority to the objects. The user with *SAVSYS special authority can: o Save an object and take it to another AS/400 system to be restored (and viewed). o Save an object and display the tape to view the data. o Save an object and free storage, thus deleting the data portion of the object. o Save a document and delete it. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.6 | SERVICE | Users with service authority |
|
|
Risk |
| A user with *SERVICE special authority can display and change confidential information using service functions. The user must have *ALLOBJ special authority to change the information using service functions. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.7 | AUDIT | Users with audit authority |
|
|
Risk |
| Audit (*AUDIT) special authority gives the user the ability to change auditing characteristics. The user can: o Change the system values that control auditing. o Use the CHGOBJAUT, CHGDLOAUD, and CHGAUD commands to change auditing for objects. o Use the CHGUSRAUD command to change auditing for a user. A user with *AUDIT special authority can stop and start auditing on the system or prevent auditing of particular actions. Note: Only a user with *ALLOBJ, *SECADM, and *AUDIT special authorities can give another user *AUDIT special authority. |
| Actions |
| If having an audit record of security-relevant events is important for your system, carefully control and monitor the use of *AUDIT special authority. Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 4.8 | IOSYSCFG | Users with system configuration authority |
|
|
Risk |
| System configuration (*IOSYSCFG) special authority gives the user the ability to change how the system is configured. For example, adding or removing communications configuration information, working with TCP/IP servers, and configuring the internet connection server (ICS). Most commands for configuring communications require *IOSYSCFG special authority. Note: You need *ALLOBJ to be able to change data using service functions. Recommendations for Special Authorities: Giving special authorities to users represents a security exposure. For each user, carefully evaluate the need for any special authorities. Keep track of which users have special authorities and periodically review their requirement for the authority. In addition, you should control the following situations for user profiles and programs: o Whether user profiles with special authorities can be used to submit jobs o Whether programs created by these users can run using the authority of the program owner. Programs adopt the *ALLOBJ special authority of the owner if: o The programs are created by users who have *ALLOBJ special authority o The user specifies USRPRF(*OWNER) parameter on the command that creates the program. |
| Actions |
| Review all users shown below. Ensure that only appropriate users have this authority. |
| Results |
|
| 5 | UPASSWORD | User passwords |
|
| Risk |
| Passwords are the most important means of securing access to your system. |
| 5.1 | PWDEXPITV | Users password expiry interval |
|
|
Risk |
| Requiring users to change their passwords after a specified length of time reduces the risk of an unauthorized person accessing the system. The password expiration interval controls the number of days that a valid password can be used before it must be changed. When a user's password has expired, the user receives a message at sign-on. The user can either press the Enter key to assign a new password or press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If the user chooses to change the password, the Change Password display is shown and full password validation is run for the new password. |
| Actions |
| Set the QPWDEXPITV system value for an appropriate interval, such as 60 to 90 days. Use the password expiration interval field in the user profile for individual users who should change their passwords more frequently, such as security administrators. Use the user profile password interval to require profiles with *SERVICE, *SAVSYS, or *ALLOBJ special authorities to change passwords more frequently than other users. o *SYSVAL The QPWDEXPITV system value is used. o *NOMAX The system does not require the user to change the password. Specify a number from 1 through 366. |
| Results |
| The system parameter QPWDEXPITV is set to 60 days. Your company standard is 60 days for ordinary users and 30 for 'system' users. This setting will be over-ridden by any users which have individual password expiration intervals. |
| 5.2 | PWDEXPD | Users with password set to expired |
|
|
Risk |
| CHANGE THIS FROM IBM The Set password to expired field allows a security administrator to indicate in the user profile that the user's password is expired and must be changed the next time the user signs on. This value is reset to *NO when the password is changed. You can change the password by using either the CHGPWD or CHGUSRPRF command, or the QSYCHGPW API, or as part of the next sign-on process. This field can be used when a user cannot remember the password and a security administrator must assign a new one. Requiring the user to change the password assigned by the security administrator prevents the security administrator from knowing the new password and signing on as the user. When a user's password has expired, the user receives a message at sign-on. The user can either press the Enter key to assign a new password or press F3 (Exit) to cancel the sign-on attempt without assigning a new password. If the user chooses to change the password, the Change Password display is shown and password validation is run for the new password. |
| Actions |
| Examine users with expired passwords and determine why they have not signed-on and changed their password. They may no longer need access to the system. |
| Results |
No users have expired passwords. |
| 5.3 | PWDLCHG | Users password last changed |
|
|
Risk |
| This shows when a user last changed their password. |
| Actions |
| Passwords should have been changed recently, within the normal password change frequency. Examine those accounts which have not changed for many days. |
| Results |
|
| 5.4 | PWDIBMPRO | IBM system profiles where password <> *NONE |
|
|
Risk |
| IBM has a number of standard system profiles which should not have a password and should not be signed on to. |
| Actions |
| The profiles shown below should have a password set to *NONE but do not. |
| Results |
|
| 5.5 | PWDNOTLO | Users who have not logged on |
|
|
Risk |
| The users shown below do not have a Previous Sign-On Date shown in the user file. This indicates that they have not logged on to the system. Unused accounts represent an unnecessary risk to the system. |
| Actions |
| Review these users and determine if the accounts are still needed. Remove any not needed being careful NOT to remove systems accounts. |
