January 23, 2013 - Vol 3, Issue 22
Live Online Training from The 400 School
Powertech - Secure Inside and Out


Security Training for IBM i from Skyview Partners


Cilasoft Security Solutions - Intelligently Engineered Security Solutions







Are You Really Saving the Right Stuff?

By Dan Riehl

In 2005, IBM published a really cool chart named "Are you Saving the Right Stuff". It is quite useful, but, the chart is coming up on being a decade old. Perhaps we need to see if we are Really Saving the right Stuff for today's IBM i technology.

Editors Note: I encourage you to also read the 'Security Shorts" Column in this Newsletter concerning "Important Objects that May Be Improperly Excluded from your Backup Process"

As security and system administrators, one of our responsibilities is to ensure that our backups include all the information that may be needed to recover the entire system in the event of a very trivial error or the worst catastrophic failure. In recent releases of the IBM i OS, IBM has added several enhancements in the area of backup and recovery. But in order to take advantage of many of these enhancements, we need to update our backup policies and processes.

On a recurring schedule, we typically back up application and user libraries, security data (including user profiles), system configuration data, some third-party-vendor-supplied libraries, folders and documents in the QDLS file system, and other directories and stream files residing in the rest of the IFS.

A basic daily backup process may save only the changes that have occurred on the system since the previous full backup. Some of us have the luxury of running a daily save process that backs up all user data, security data and configuration data, instead of just those objects that have changed.

We usually only save the operating system (using SAVSYS) before and after we install of a new OS release or after significant changes have been made to the OS, as in applying a cumulative PTF package.

Obviously, your backup policy and processes may differ significantly from these specifics, all depending on your unique requirements.

A Full Save

Some of us use the SAVE Menu Option 21 to get a full save of the system. Others may use a combination of SAVSYS, SAVLIB LIB(*NONSYS), SAVDLO, and SAV to craft their own full backups.

But when you run SAVE Menu Option 21—or your custom full backup process—are you really getting a full backup of your system?

New Capabilities

OS/400 V5R3 and V5R4 and IBM i OS 6.1 and 7.1 have enhanced our ability to back up information that in many cases was previously not available. You’ll probably want to update your backup processes in order to take advantage of these new SAVE capabilities.

Saving Access Paths

In V5R3 IBM introduced the system value QSAVACCPTH. This system value provides a system-wide default setting as to whether you save access paths (e.g., indexes) when you save your database files. The system value has a shipped setting of *YES. You should check your backup processes to ensure that all the SAVxxx commands (SAVLIB, SAVOBJ, etc.) specify the attribute ACCPTH as *YES or *SYSVAL. In a recovery scenario, your restore process—RSTxxx (RSTLIB, RSTOBJ, RST, etc.) process runs significantly faster if you restore the access paths rather than to rebuild them, which can be a very lengthy process.

So check all of the SAVxxx commands in your backup process to ensure that you are saving access paths, as in the following:

SAVLIB LIB(MYLIB) DEV(TAP01) ACCPTH(*SYSVAL or *YES)

For a Full backup, make sure to save the access paths. It increases the duration of the SAVxxx process and uses more tape space, but in a recovery scenario, you'll be very glad you did.

Spooled File Data

Prior to V5R4, when an output queue object was saved, only the description of the output queue was saved, not the entries(the reports) in the output queue. Starting in V5R4 you can begin saving and restoring your spooled files that reside in the output queues. Prior to V5R4, you could write your own report archive utility, but in V5R4 this capability is built into the SAVxxx and RSTxxx commands.

The following command saves all objects in the PRODLIB library and also saves all the spooled files in all the output queues that reside in the library:

SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(*ALL)

For a full backup, make sure to back up your spooled file data. Again, this affects the duration of the SAVxxx process and uses more tape, but if you need to be able to restore your reports, you first have to save them.

If you need a program to simply save all of your spooled file, there is source code for a CL program to do this in the September 2012 issue of the Newsletter.

Data Queue Data

Prior to V5R4, when a data queue (*DTAQ) object was saved, only the description of the data queue was saved, not the entries in the data queue. V5R4 added the capability to save all remaining data queue entries at the time of the SAV* operation.

The following command saves the PRODLIB library and also saves any data queue entries in all regular data queues, DDM data queue data cannot be saved using this value:

SAVLIB LIB(PRODLIB) DEV(TAP01) QDTA(*DTAQ)

For a full backup, make sure to back up any remaining data queue entries.

NOTE: If you are still using IBM's BRMS under V5R4, you need to make a special accommodation in order to make sure you are saving DTAQ data. This IBM support document explains how to use data queue Save support in V5R4.

Private Authorities

In IBM i 6.1, you can begin saving object private authorities with the objects, when you save the objects. Historically, private authorities would only be saved when using the commands SAVSECDTA(Save Security Data) or SAVSYS (Save System). Because private authorities are stored within user profiles, it's quite a neat trick for IBM to save and restore the object private authorities when saving and restoring the objects.

The following command saves the PRODLIB library and also saves all object private authorities.

SAVLIB LIB(PRODLIB) DEV(TAP01) PVTAUT(*YES)

There are times to use this PVTAUT support, and other times to just use SAVSECDTA to save this information. I addressed this new 6.1 support in the August 2012 Issue of the newsletter.

For a full backup, make sure to back up your private authorities using the appropriate SAVxxx command and specifying PVTAUT(*YES) or on a regular routine backup IBM recommends using the SAVSECDTA command, which will save all user profiles along with their private authorities. SAVSYS can also be used to save the system, including user profiles and their private authorities(SAVSECDTA) and system configuration data(SAVCFG).


About the Author

Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for
the IT Security and Compliance Group, LLC.

Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.

Dan Riehl on LinkedIn





 
Training from The 400 School