|
||
|
November 8, 2011 - Vol 1, Issue 3
|
||
|
||
|
Feature Article
By Dan Riehl Most of us run IBM i Access for Windows. That's the newest name for what we used to call PC Support, Client Access and iSeries Access. You probably use the Personal Communications PC5250 emulation software to provide your workstation sessions. You may also use the IBM i Navigator (Operations Navigator, iSeries Navigator) portion of IBM i Access for Windows. There are several IBM supplied applications that are installed on your PC when you install IBM i Access for Windows. Included in these additional applications are the Remote Command facility, the ODBC Driver and various File Transfer programs and Service utilities. One critical piece of software that is installed is the command interface to Set or Flush the Signon Server cached User IDs and Passwords, which is the topic of our discussion here. When you run IBM i Access functions on your PC that require communications with the host, you must first authenticate to the host. To accomplish this authentication, IBM provides the Signon Server GUI window where you provide your credentials(i.e. UserID and Password). Once you have successfully authenticated, your PC provides an open pipe to access the IBM i without any further authentication. You can transfer files, run remote commands, examine spooled files, etc. So, do you flush your credentials when you leave your desk, or go home for the evening? Or do your leave the pipe wide open for anyone that happens to wander by your unattended workstation? In this article, we'll examine how you can easily flush your Signon Server credentials cache, and thereby, achieve a higher level of protection for your sensitive data. |
|
In This Issue
Featured Article - Close the open Pipe Quick Links
SecureMyi Website Thank You To Our Sponsors!
Platinum Sponsor |
IBM i Security and Audit ResourcesSecurity Videos from Securemyi.com Security Training from the 400 School IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 |
|
IBM i Security News Bytes
Linoma Software
The 400 School, Inc. and SecureMyi.com IBM i Security Calendar of EventsNov 9 - RJS Special Security Lunch & Learn Jan 17-20 - The 400 School - Live Online Security Workshop May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA |
|
|
Featured YouTube VideoIBM i Security - The Hidden Security Configuration Options
Cannot Access Youtube from your office? Here is the presentation in wmv format. 
|
||
|
||
Security Shorts - Auditing Newly Created ObjectsThe IBM i has excellent built-in auditing capabilities. You can audit various types of important events, you can audit object access, and you can audit access to IFS "objects". I have used the object auditing facilities quite heavily. But, the other day I was stumped. I was asked the question "How do you turn on auditing for newly created files and directories in the IFS?" I knew that there was a way to do this, but the method did not come readily to mind. After searching the web and performing quite a bit of testing, I now have the answer to that question. I hope that the information is helpful to you. Auditing Newly Created QSYS.LIB ObjectsThe System value QCRTOBJAUD specifies the global default value for the auditing level specified for newly created objects. The shipped value is *NONE, meaning, newly created objects will not be audited at the global/system level. You can override the QCRTOBJAUD system value at the library level by specifying the CRTOBJAUD parameter of the CRTLIB(Create Library) and CHGLIB(Change Library) command as shown here. CHGLIB LIB(MYLIB) CRTOBJAUD(*CHANGE) When a library is created, the default value for the CRTLIB's CRTOBJAUD parameter is *SYSVAL, but can be set as desired to *ALL, *CHANGE, *USRPRF, *NONE or *SYSVAL. CRTLIB LIB(MYLIB) . . CRTOBJAUD(*CHANGE) So, now, whenever a new object is created in MYLIB, the object's OBJAUD value will automatically be set to *CHANGE. Auditing Newly Created IFS "Objects"The IFS /root file system is used to store various types of files, directories, folders and documents. Often sensitive data is stored there in MS/Excel spreadsheets, Word documents, images, audio, pdf reports, and many other types of files. In addition to being the global setting for the QSYS.LIB file system, the system value QCRTOBJAUD is also the global setting applied to IFS directories. If you want to turn on auditing for all newly created IFS "objects", you set the system value QCRTOBJAUD as required to *ALL, *CHANGE or *USRPRF. Within the IFS, this global setting can be overridden at the directory level using the CHGATR(Change Attribute) command as shown here. CHGATR OBJ('home/myuser') ATR(*CRTOBJAUD) VALUE(*CHANGE) If you want the *CRTOBJAUD auditing attribute to be applied to subdirectories also, include the SUBTREE(*ALL) option of the CHGATR command. So, the key to managing auditing for newly created objects in the IFS is the QCRTOBJAUD System Value when used in conjunction with the CHGATR command. With the CHGATR command, you specify the *CRTOBJAUD attribute and corresponding value for the selected IFS directory, and the associated sub-directories. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
|
Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2011 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |
||
