Security and Systems Management Newsletter for the IBM i                 February 27, 2013 - Vol 3, Issue 24
Security Assessment Workshop for IT Auditors - from The 400 School

Powertech - Control of your Powerful Users

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Feature Article

Security Related System Values - Lock Out Changes!

By Dan Riehl

The numerous System Values on the IBM i are the main controlling system settings that determine how your system operates. For example, the System Value QCRTAUT determines what the default *PUBLIC authority will be for newly created objects. The System Value QALWOBJRST determines if there are any restrictions on the programs and service programs that can be restored onto the system. The System Values QTIME and QDATE store the current system time and date respectively.

When you aren't the only one at your company who has security officer privileges or high levels of authority, one of these other powerful users can change the settings stored in these System Values. In one particular "real life" example, an unwise change to the QCRTAUT System Value caused the system to assign incorrect *PUBLIC authority settings to newly created objects, leaving them open to abuse.

In order to protect these high-impact, Security-related System Values, IBM has provided a Lock/Unlock mechanism that's available through System Service Tools (STRSST).

In order to access the Lock/Unlock setting, a user must have *SERVICE special authority and a powerful Service Tools User ID and Password. These Service Tools User IDs and Passwords aren't the same as the operating system User IDs and Passwords. These are special Service Tools User IDs, like 11111111, 22222222 and, yes, QSECOFR. But the Service Tools user QSECOFR is a different user than the operating system's QSECOFR user profile, typically with a different, and case sensitive, password.

To access the System Values Lock/Unlock function, enter the command Start System Service Tools (STRSST) and, when prompted, enter QSECOFR as the User ID and supply the QSECOFR SST Password. You are then presented with the System Service Tools menu. (Note: If you have created other powerful Service Tools User IDs, similar to QSECOFR, you can optionally log into Service Tools using one of these.)

This article further explains the Pros and Cons of setting the Security System Value Lock in SST.

I highly encourage you to Set the Lock!

But, Read On for instructions and more information.

In This Issue

Featured Article - Lock System Values

Security Shorts - Auditing the Exit Points

Featured Video - Limited Capabilities User?

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit

Our Newsletter Sponsors

Platinum Sponsor

    The 400 School, Inc

Gold Sponsor
    The PowerTech Group

    Skyview Partners, Inc

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

PowerTech - Control of your Powerful Users

IBM i Security and Systems Management News Bytes

Bytware Introduces Messenger 8

Bytware, a division of Help/Systems, has announced a new version of their IBM i message monitoring tool, Messenger 8. This latest update adds new ease-of-use enhancements in the areas of job management and compliance reporting.

These enhancements help users more easily identify jobs running on their systems that are critical to business operations. By facilitating fine-tuned searches, helping IT staff collaborate on incident response, and enhancing the built-in capabilities of IBM i, Messenger 8 brings message monitoring in line with the latest approaches to server management.

See more about the new version from Bytware.

New Cilasoft Product Releases May Change the way you Secure Your IBM i

Cilasoft Security Solutions, announced the release of a new version of their CONTROLER security software for IBM i that makes use of several new and updated IBM i exit points, including the newly enhanced Open Database File exit point, and the new 7.1 Socket exit points.

CONTROLER has traditionally monitored, logged and controled numerous IBM i exit points, including network exit points, CL command exits for CL command control, and STRSQL, RUNQTU, SQL Exec and ODBC, JDBC execution. The addition to CONTROLER of the new and updated exit points in IBM i 7.1, presents an impressive suite.

Read the Cilasoft Press Release.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

An "Easy" Button for Provisioning IBM i Users
Live Webcast - Sponsored by PowerTech
Wednesday, February 27 1:00 PM CST
More Information and Register to Attend

IBM i Logging for Compliance & SIEM Integration
Live Webcast - Sponsored by Townsend Security
Wednesday, February 27 12:00 Noon CST
More Information and Register to Attend

US Daylight Saving Time Begins - 2:00am Sunday March 10
Daylight Saving Time - Around the World

Top 10 New Features of IBM i Security - With Carol Woodbury
Live Webcast - Presented by Skyview Partners
Wednesday, March 13 10:00am CDT
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop for IT Auditors
Full Length Training Workshop - April 9-12, 2013 9:00am - 4:00pm CDT
Dan Riehl presents his 3.5-Day Live Online Hands-on Security Assessment Workshop for the IBM i.
More Information and Register to Attend

April 7-10 - COMMON - A User Group
2013 Annual Conference and Exposition - Austin, TX
More Information and Register to Attend

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Featured YouTube Educational Video

IBM i Security

Misconceptions of User Profile Limited Capabilities - LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)

Security Shorts -

Auditing Exit Point Changes (WRKREGINF)

By Dan Riehl

I have heard the question many times; 'Who removed my exit program?" Or 'Where did my FTP and Create User Profile registered exit programs go? Perhaps a more interesting question might be "How did that exit program get there?"

If you have created the QAUDJRN journal, and have set the associated System Values(QAUDCTL QAUDLVL QAUDLVL2) correctly, you have an audit trail of all changes that have been made to your exit point registry. There are 2 auditing methods you can use to collect information about Exit Point Registry changes. You can use Object Auditing, and/or you can use Event auditing. When dealing with the exit point registry, I think you will find that Event auditing may be an easier choice. But, I'll present both methods and you can choose which one you like. You may prefer to use both, which is what I use and recommend.

Auditing the Exit Point Registry Object

The Exit Point Registry is stored in the object QUSEXRGOBJ in library QUSRSYS. The object type is *EXITRG.

In order to start auditing the Exit Point Registry object you first need to ensure that the QAUDCTL system value includes the value *OBJAUD. This allows you to being auditing access to objects. Once this is done, you can then start auditing changes to the registry object using the following command.


Now, whenever a change is made to the registry, a ZC(Object Accessed for Change) journal entry is written to the QAUDJRN journal, indicating that the QUSEXRGOBJ object was accessed in Update mode, and/or was changed. Additional information provided in the ZC journal entry includes information like Job User, Current User, Job Name, Program that made the change, the timestamp of the entry, etc.

The operations that can be audited for the QUSEXRGOBJ object are:

ADDEXITPGM		Add Exit Program CL Command  
QUSADDEP		Add Exit Program API 
QusAddExitProgram	Add Exit Program API 
QUSDRGPT		Unregister Exit Point API 
QusDeregisterExitPoint	Unregister Exit Point API 
QUSRGPT			Register Exit Point API 
QusRegisterExitPoint	Register Exit Point API 
QUSRMVEP		Remove Exit Program API 
QusRemoveExitProgram	Remove Exit Program API 
RMVEXITPGM		Remove Exit Program CL Command 
WRKREGINF		Work with Registration Information CL Command  

To review all ZC entries, you can use your favorite QAUDJRN reporting software. In V5R4 IBM provided the command CPYAUDJRNE(Copy Audit Journal Entries) which is a very nice command to extract information from QAUDJRN. Here's the command you can use to extract the ZC(Object Accessed for Change) entries into a formatted output file.


This will create a file QAUDITZC in library MYLIB. The columns in the output file are specific to the ZC journal entry type. To list the ZC entries, you can use the command:


If you are auditing numerous objects on your system, you will need to select only the records where the object name is QUSEXRGOBJ.

Auditing the Event of a change to the Exit Point Registry

To audit security configuration events, like a change to the exit point registry, you set the System value QAUDCTL to include the value *AUDLVL, and include the value *SECCFG or *SECURITY in the QAUDLVL, or QAUDLVL2, system value.

If this is done, and someone or some process manipulates the Exit Point Registry, a journal entry is written to the QAUDJRN journal. The journal entry type for this access is GR(Generic Record). As of IBM i 6.1, all GR entries are related to the Exit Point Registry.

You can review the GR entries just like the ZC entries. Here's the command you can use to extract the GR entries into a formatted output file.


This will create a file QAUDITGR in library MYLIB. The columns in the output file are specific to the GR journal entry type. To list the GR entries, you can use the command:


The information provided includes what function was performed, Job User, Current User, Job Name, Program used, Timestamp, etc.

The SecureMyi Newsletter always provides a link to QAUDJRN Journal Entry Record Layouts in the Security Resources Section

For your convenience, the QAUDJRN Journal Emtry Record Layouts for 6.1 are also here.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC
In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Live Training from The 400 School, Inc

Customized IBM i (AS/400) Training -
    Presented Live at your offices

Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 -, all rights reserved | St Louis MO 63017