< When was your Last SAVSECDTA, SAVSYS, SAVCFG? And Where are They? - SecureMyi Security and Systems Management Newsletter for the IBM i, iSeries and AS/400
     
SecureMyi.com Security and Systems Management Newsletter for the IBM i                 March 25, 2015 - Vol 5, Issue 4
Security Training from SecureMyi.com
Security software from Powertech



Security? See how SKYVIEW PARTNERS can help!







Training from 400 School and SecureMyi.com



Training from 400 School and SecureMyi.com



Training from 400 School and SecureMyi.com



When was your Last SAVSECDTA, SAVSYS, SAVCFG?
And Where are They?

By Dan Riehl

Backup and Recovery is an area that is critical to the security and integrity of our systems. If someone accidentally wipes out a file, or in the event of a large scale disaster, it's critical we have all of the pieces needed to recover the file, or the entire system.

We typically have a pretty good handle on when we last backed up our User Libraries, our Document Library objects, and the root '/' file system. But what about the last save of the operating system? And what about our user profiles and security data and our system configuration objects? When was that data last backed up? And what tape or other media contains the last backup?

If you need to recover your system, and the Last Save of Security Data(Including User Profiles) was 3 months ago, that is your recovery point for User Profiles and Passwords, Authorization Lists and Private Authorities. Can you recall what your password was 3 months ago? And your End-Users Passwords? You potentially have a real mess on your hands.

When we save a library using the SAVLIB command, objects are marked with the save date and save device information, as long as we specify UPDHST(*YES). But when we save the operating system, the objects that are saved are not marked with the save information. The same is true when we save user profiles and configuration data. The saved objects are not updated with the last save date.

IBM has supplied some special purpose data areas in the QSYS library that are updated with the save date and save device information when we perform certain save operations.

When we save our security data (including user profiles) using the command Save Security Data (SAVSECDTA), the special data area QSAVUSRPRF in QSYS is updated to reflect the save date and time and save device information.

Below is a list of various SAVE commands and the associated QSYS data area. Upon execution of the command, the data area is updated.

Save Command          Data Area Updated 
SAVCFG		      QSAVCFG	
SAVLIB *ALLUSR	      QSAVALLUSR
SAVLIB *IBM	      QSAVIBM	
SAVLIB *NONSYS	      QSAVLIBALL
SAVSECDTA	      QSAVUSRPRF
SAVSTG		      QSAVSTG	
SAVSYS		      QSAVSYS, QSAVUSRPRF, QSAVCFG
SAVSYSINF 	      QSYSINF

Viewing the Last Save Date and Device

To view the last save information, you display the object description (DSPOBJD), you don't display the content of the data area. You can start with the command Work with Objects (WRKOBJ), as shown here:

WRKOBJ OBJ(QSYS/QSAV*) OBJTYPE(*DTAARA)

This command allows you to work with all the data areas in the QSYS library that start with the characters QSAV. This results in the following display:

      
                                Work with Objects                                
                                                                                
 Type options, press Enter.                                                     
   2=Edit authority        3=Copy   4=Delete   5=Display authority   7=Rename   
   8=Display description   13=Change description                                
                                                                                
 Opt  Object      Type      Library     Attribute   Text                        
  _   QSAVALLUSR  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVCFG     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVIBM     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVLIBALL  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVSTG     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVSYS     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  8   QSAVUSRPRF  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR REST 

Place option 8 (DSPOBJD) next to one of the data areas. In the example, we chose QSAVUSRPRF to see when we last saved our security data (including user profiles). Scroll through the resulting list to see the last Save Date and Time, the Save Device used and Save Volume ID and Sequence Number on the Tape.

                       Display Object Description - Full                        
                                                                 Library 1 of 1 
 Object . . . . . . . :   QSAVUSRPRF      Attribute  . . . . . :                
   Library  . . . . . :     QSYS          Owner  . . . . . . . :   QSYS         
 Library ASP device . :   *SYSBAS         Library ASP group  . :   *SYSBAS      
 Type . . . . . . . . :   *DTAARA         Primary group  . . . :   *NONE        
                                                                                
 Journaling information:                                                        
   Currently journaled  . . . . . . . . :   NO                                  
 Save/Restore information:                                                      
   Save date/time . . . . . . . . . . . :   03/12/15  21:20:23                  
   Restore date/time  . . . . . . . . . :                                       
   Save command . . . . . . . . . . . . :   SAVSECDTA                           
   Device type  . . . . . . . . . . . . :   TAPE                           
   Tape Volume  . . . . . . . . . . . . :   W23BK                      
   Sequence Number  . . . . . . . . . . :   13
    

If you simply want to examine one of the special SAVE data areas, you can use the command DSPOBJD. Here's an example that can be used to display the information on the last time we did a SAVSECDTA.

DSPOBJD OBJ(QSAVUSRPRF) OBJTYPE(*DTAARA)


While We're Here: Where IS Your SAVSYS?

While we're here discussing saving the system and its different pieces, check to make sure you're routinely saving your user profiles and system configuration data. Also check to make sure you have a good SAVSYS backup media handy. You probably did a SAVSYS operation the last time you made a major change to the operating system, like an OS upgrade, or after applying a cumulative PTF package.

If you don't have these backups available (SAVSYS, SAVSECDTA, SAVCFG), plan to do the needed backups as soon as you can. You don't want to be stuck in a recovery scenario needing to go back to the original IBM distribution media. That would be a disaster on top of a disaster.



About the Author

Dan Riehl is the Editor of the SecureMyi Security Newsletter and a Security Specialist for
the IT Security and Compliance Group

Dan performs IBM i security assessments and provides security consulting, remediation, forensic evaluations, and other customized security services for his clients. He also provides training in all aspects of IBM i security and other technical areas through The 400 School, Inc.

Dan Riehl on LinkedIn




   
      Security Training from SecureMyi.com


Copyright 2015 SecureMyi.com