When was your Last SAVSECDTA, SAVSYS, SAVCFG? And Where are They?
By Dan Riehl
Backup and Recovery is an area that is critical to the security and integrity of our systems. If someone accidentally wipes out a file, or in the event of a large scale disaster, it's critical we have all of the pieces needed to recover the file, or the entire system.
We typically have a pretty good handle on when we last backed up our User Libraries, our Document Library objects, and the root '/' file system. But what about the last save of the operating system? And what about our user profiles and security data and our system configuration objects? When was that data last backed up? And what tape or other media contains the last backup?
If you need to recover your system, and the Last Save of Security Data(Including User Profiles) was 3 months ago, that is your recovery point for User Profiles and Passwords, Authorization Lists and Private Authorities. Can you recall what your password was 3 months ago? And your End-Users Passwords? You potentially have a real mess on your hands.
When we save a library using the SAVLIB command, objects are marked with the save date and save device information, as long as we specify UPDHST(*YES). But when we save the operating system, the objects that are saved are not marked with the save information. The same is true when we save user profiles and configuration data. The saved objects are not updated with the last save date.
IBM has supplied some special purpose data areas in the QSYS library that are updated with the save date and save device information when we perform certain save operations.
When we save our security data (including user profiles) using the command Save Security Data (SAVSECDTA), the special data area QSAVUSRPRF in QSYS is updated to reflect the save date and time and save device information.
Below is a list of various SAVE commands and the associated QSYS data area. Upon execution of the command, the data area is updated.
Save Command Data Area Updated
SAVCFG QSAVCFG
SAVLIB *ALLUSR QSAVALLUSR
SAVLIB *IBM QSAVIBM
SAVLIB *NONSYS QSAVLIBALL
SAVSECDTA QSAVUSRPRF
SAVSTG QSAVSTG
SAVSYS QSAVSYS, QSAVUSRPRF, QSAVCFG
SAVSYSINF QSYSINF
Viewing the Last Save Date and Device
To view the last save information, you display the object description (DSPOBJD), you don't display the content of the data area. You can start with the command Work with Objects (WRKOBJ), as shown here:
WRKOBJ OBJ(QSYS/QSAV*) OBJTYPE(*DTAARA)
This command allows you to work with all the data areas in the QSYS library that start with the characters QSAV. This results in the following display:
Work with Objects
Type options, press Enter.
2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename
8=Display description 13=Change description
Opt Object Type Library Attribute Text
_ QSAVALLUSR *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
_ QSAVCFG *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
_ QSAVIBM *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
_ QSAVLIBALL *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
_ QSAVSTG *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
_ QSAVSYS *DTAARA QSYS S/R DIRECTORY INFO FOR SAVE
8 QSAVUSRPRF *DTAARA QSYS S/R DIRECTORY INFO FOR REST
Place option 8 (DSPOBJD) next to one of the data areas. In the example, we chose QSAVUSRPRF to see when we last saved our security data (including user profiles). Scroll through the resulting list to see the last Save Date and Time, the Save Device used and Save Volume ID and Sequence Number on the Tape.
Display Object Description - Full
Library 1 of 1
Object . . . . . . . : QSAVUSRPRF Attribute . . . . . :
Library . . . . . : QSYS Owner . . . . . . . : QSYS
Library ASP device . : *SYSBAS Library ASP group . : *SYSBAS
Type . . . . . . . . : *DTAARA Primary group . . . : *NONE
Journaling information:
Currently journaled . . . . . . . . : NO
Save/Restore information:
Save date/time . . . . . . . . . . . : 03/12/15 21:20:23
Restore date/time . . . . . . . . . :
Save command . . . . . . . . . . . . : SAVSECDTA
Device type . . . . . . . . . . . . : TAPE
Tape Volume . . . . . . . . . . . . : W23BK
Sequence Number . . . . . . . . . . : 13
If you simply want to examine one of the special SAVE data areas, you can use the command DSPOBJD. Here's an example that can be used to display the information on the last time we did a SAVSECDTA.
DSPOBJD OBJ(QSAVUSRPRF) OBJTYPE(*DTAARA)
While We're Here: Where IS Your SAVSYS?
While we're here discussing saving the system and its different pieces, check to make sure you're routinely saving your user profiles and system configuration data. Also check to make sure you have a good SAVSYS backup media handy. You probably did a SAVSYS operation the last time you made a major change to the operating system, like an OS upgrade, or after applying a cumulative PTF package.
If you don't have these backups available (SAVSYS, SAVSECDTA, SAVCFG), plan to do the needed backups as soon as you can. You don't want to be stuck in a recovery scenario needing to go back to the original IBM distribution media. That would be a disaster on top of a disaster.
About the Author
Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for the
IT Security and Compliance Group
Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security
services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.
Dan Riehl on LinkedIn
|