AS400 security nightmare

[RedHeadedStepITChild]

Somewhat long post, but want to give as much info as I can...

I've recently inherited an iSeries to admin (V5R2). As any decent admin. would do, I've gone through the system and ERP security and have updated to what it needs to be. As you can imagine, this has upset some end-users as they no longer have the carte-blanche permissions like they used to an this has caused a password sharing problem.

I know how to limit sign-ons, but for productivity, the powers the be want me to allow multiple sessions.

With all of that being said, I was hoping the following questions could be answered here.

1.) What file does the DSPLOG command call? My CIO wants this file (or the screen results) converted to a .txt file.

2.) Is there an equivalent to Unix/Linux "logwatch" for the iSeries? If not, has anyone created a CLP to mirror this capability?

3.) Is there a way to restrict a userID to only be able to sign on to a "home" terminal or TN5250 session?

I apologize for my ignorance of the iSeries. I have many more questions, but I will post new threads as I come to those questions. I want to thank anybody/everybody for any help you can lend beforehand

Jason

 

[tcsbiz]

I can partially answer 1. DSPLOG uses files in library QSYS that start with QHST. We currently have 22 such files. Use the command WRKF FILE(QSYS/QHST*) FILEATR(PF) to see a list of the files on your system.

The problem is is that they are not named the same. What happens is the log fills up and "rolls" to a new file named QHST******. We have one named QHST09151A. The text description contains the date and time the file was created. QHST09151A has the value 10905310452561090602022419. The first digit is 1 and indicates 21st century. The next six are the date the file was created; 090531 (May 31, 2009.) I believe the next six are the date it was created.

If you want to look at the file contents use option 5 from the display list of the files.

A system value, QHSTLOGSIZ, holds the value for the maximum size allowed for the log file before a new one gets created. Find that by using WRKSYSVAL QHSTLOGSIZ.

Tom

 

[jmd0252]

Any terminal can be used by anyone. I am assuming that you have looked over the profile security. WRKUSRPRF 'fill in user name here', or *all. From what you have said you also know about wrksysval *all. What is the software running on the AS400, ie Peoplesoft, Oracle, JD Edwards, etc, etc sometimes the software will have it's own security methods.
Also on the ibm redbooks web site. try searching there.

http://www.redbooks.ibm.com.

Using As400 security you can secure objects. Understand that in the AS400 world everything is an object,, from a program to a data file. The first line of defense being sign on security, then object security.

 

[RedHeadedStepITChild]

We are using BPCS, and yes it has it's own security.

I did CHGMSQ MSGQ(QSYSOPR) DLVRY(*BREAK)in hopes of my terminal showing me when users log on and off. That doesn't seem to be working, or not working in the way I was hoping.

I am learning very fast and, yes, I do know about WRKUSRPRF *ALL and WRKSYSVAL *ALL

Keeping my day interesting that is for sure. Having fun with it too

 

[jmd0252]

Well does BPCS offer anything useful?? I know when we were using JDE World,, there was some interesting things it allowed us to do. Have you though about journaling, and what that might get you?

 

[RedHeadedStepITChild]

No...unfortunatly BPCS doesn't. Basically the iSeries username is passed to BPCS, and access to the BPCS modules and/or CL programs is set within BPCS. To this point I don't think its even possible to pass a group profile (which would make my job tons easier).

I have come across a few articles on journaling and auditing. I'm not sure that I have a good grasp of that yet. Honestly, at this point I'm worried about turning on journaling or auditing and then 12 hours later running out of disk space

I was hoping there was some way to modify the WRKACTJOB command to show only users that are signed onto different machines. Using something like that and exporting the QHST files (thanks tcsbiz!) to text will get me well on the way of getting this under wraps.

As a side note, I just about have upper-management convinced into letting me shut down multiple-session sign ins. Currently the users are using multiple sessions so they don't have to navigate between BPCS modules, OUTQ, etc, etc. However, when it comes to asking them to do something out of thier comfort zone, I find that they are unable to do so, because they do not know how to navigate and manipulate the system. Locking users down to one session is a win-win for me

I am greatly indebted to your help! I appreciate it very much. Any help and or pointers on journaling is much appreciated.

 

[flapeyre]

I wouldn't count on modifying WRKACTJOB. Not a good idea to fool with Mother Nature. You can write a user-defined command for the purpose.

I can see the users' point of view. As a programmer, myself, I frequently have multiple sessions open (we do not restrict them). We do, however, via group policy / Windows, enforce a 10-minute screen-saver kick-in, with your network password required to unlock the PC (nobody here uses a dumb terminal). Plus, starting at 7PM, anyone with an open AS/400 terminal session has it logged off after a few minutes of inactivity. Personally, I use Windows key + L to lock my PC when I leave my desk.

I would compromise a bit on the one-session thing. It doesn't really increase security all that much. The real security issue is to keep people from sharing each other's User IDs and passwords. That requires a management policy approach (one warning, you're out of here if we catch you doing it again).



-- Francis
I'd like to change the world, but I can't find the source code.

 

[RedHeadedStepITChild]

flapeyre...

I appreciate your suggestions. While I'm new to sys. admin world (and even newer to AS400/iSeries) I've made my almost all the suggestions you listed to my "higher-ups."

Perhaps its my negotiation skills that need upgrading

Once again, thanks all to all of you have helped.

 

[Kozusnik]

Questions 1 & 2...

You could use
DSPLOG PERIOD(('00:00:00' '06/27/2009') ('08:00:00' '06/27/2009')) OUTPUT(*PRINT) MSGID(CPF1124 CPF1164)

WRKJOB
OPT 4 to view the results

I added the date/times to show how the command looks. You could just specify any part of it.

The CPF1124 and CPF1164 are session starts and ends respectively.

If you wanted to be creative, you could...
Create a physical file
Create a CL program
Run this command from the CL program using date/times (or not)
CPYSPLF to the physical file (in CL)
QUERY the file (in CL) to an outfile (clean it up in here)
CPYTOPCD (in CL)
SNDDST (E-mail) results to CIO (in CL)

Then the CIO could have a daily log to go slap the hands of the users sharing sign-ons.

Question 3...
I'm sure you could do that with the initial "program to call" on the user profile or maybe in conjunction with the jobd, but you'd have to build that program yourself. IBM may be able to help. You could always call them (depending on your service contract of course).