DSPPWDLMT2 -- Display Password Limit 2 - QHST Dsp of Pwd Attempt

DSPPWDLMT2 DISPLAY PASSWORD LIMIT 2 TAASEGT
The Display Password Limit 2 command uses converted data from QHST and displays or prints the conditions where a user profile has successfully signed on after one or more invalid password attempts. This provides a good review of authorized users who may be trying to discover a password of another profile. For example, a user could know that he gets 3 tries to signon before his device and/or profile is disabled. He could try a different profile for the first 2 tries and attempt to guess the password. On the 3rd try he would enter his own profile and password and be successfully signed on. There are 2 choices for operating on QHST: If you are using the DSPQHST2 tool, CVTQHST2 must be used to convert QHST. After CVTQHST2 is used, specify: DSPPWDLMT2 LIB(xxx) If you are not using DSPQHST2, you must first use the CVTQHST command to convert the QHST log to the QHSTP file in a named library such as: CVTQHST QHSTFILE(ALL) QHSTPLIB(xxx) FROMDATE(TODAY) This converts all QHST messages for the current date. The DSPPWDLMT2 command may then be used: DSPPWDLMT2 LIB(xxx) The DSPPWDLMT2 USRPRF parameter defaults to ALL meaning all user profiles that have a password. Instead of ALL, you may list up to 100 user profiles which you consider security sensitive and have a password. The system does not provide a message in QHST if a user attempts to signon to a user profile that does not have a password. If a CPF2234 message (invalid password) exists, the profile attempted to be signed onto is checked against the list supplied in the USRPRF parameter. If USRPRF(ALL) or a match is found and the user subsequently signs on to a valid user profile, the signed onto profile is listed along with the attempts made to the user profiles identified in the USRPRF parameter. Both type of QHST processing produce similar output. An option exists to bypass the conditions where the user entered an invalid password (eg transposed some characters) and then correctly signed onto the same user profile. This will avoid some normal amount of clutter in the listing. Differences with DSPPWDLMT -------------------------- DSPPWDLMT lists the devices and/or users that have been disabled because the QMAXSIGN value has been exceeded. DSPPWDLMT2 lists the users who have successfully signed on after one or more invalid password attempts for a user profile that is specified in the USRPRF list. Processing considerations ------------------------- The DSPPWDLMT2 function searches for the CPF2234 message ID that describes that an invalid password has been entered. The information about the device and user profile are stored in internal arrays. If the CPF1397 message appears, the device has been disabled (varied off) and the condition is not noted. If the CPF1393 message appears, the user profile has been disabled and the condition is not noted. Both conditions are possible if the QMAXSGNACN system value is '3'. If a CPF1124 (job start) message appears for the same device that a CPF2234 message was sent for, the job and user information is listed along with the attempted signons. The internal entries are reset following printing or if the CPF1397, CPF1393, or CPF1124 message appears. All array entries are reset if the CPF0993 message (start of controlling subsystem) appears. DSPPWDLMT2 escape messages you can monitor for ---------------------------------------------- None. Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ TYPE The type of converted QHST file you are using. QHST should be entered if you have used CVTQHST to create a QHSTP file in a named library. QHST2 should be entered if you have used CVTQHST2 to create a QHST2 file in a named library. LIB The library containing the QHSTP file that was created by CVTQHST or the QHST2 file created by CVTQHST2. The TYPE parameter determines which file must exist. USRPRF A list of up to 100 user profiles that you consider security sensitive. ALL is the default and is a good choice in most situations. If an invalid password which is attempted to be used is in the list, and a user follows by successfully signing onto a profile, the condition will be listed. OPTION An option to determine whether to include the conditions where the user entered one or more invalid passwords for a user profile and then successfully signed onto the same profile. ALL is the default to list all conditions (none are bypassed). DIFPRF may be entered to list only those conditions where the user had one or more invalid attempts to signon and then successfully signed onto a different user profile. FROMDATE The date and time of the first QHST message to be considered. The default is FIRST to use the first QHST message in the file. The special value CURRENT may be entered to mean today's date. A specific date may be entered in job format. If no date is entered, a date of Jan 1, 1940 is used. A specific time may be entered in HHMMSS format. If no time is entered, a time of 000000 is used. TODATE The date and time of the last message to be considered. The default is LAST to use the current date and the last message in the file. A specific date may be entered in job format. If no date is entered, the current date is used. A specific time may be entered in HHMMSS format. If no time is entered, a time of 235959 is used. OUTPUT How to output the results. * is the default to display the spooled file if the command is entered interactively. The spooled file is deleted after it is displayed. If the command is entered in batch or PRINT is specified, the spooled file is output and retained. Restrictions ------------ There is a limit of 25 user profile names that may be stored per device until reset by printing or a successful signon. There is a limit of 9999 devices that may be stored until reset by printing or a successful signon. Prerequisites ------------- The following TAA Tools must be on your system: CHKOBJ3 Check object 3 CVTTIM Convert time DSPPWDLMT Display password limit EDTVAR Edit variable RSNLSTMSG Resend last message RTVDAT Retrieve date RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPPWDLMT2 CMD TAASEGT QATTCMD TAASEGTC PGM CLP TAASEGTC QATTCL TAASEGTR PGM RPG TAASEGTR QATTRPG TAASEGTR2 *PGM RPG TAASEGTR2 QATTRPG TAASEGTR reads the QHSTP file from CVTQHST. TAASEGTR2 reads the QHST2 file from CVTQHST2.

DSPPWDLMT2      DISPLAY PASSWORD LIMIT 2               TAASEGT


The Display  Password Limit  2 command  uses converted  data from  QHST
and  displays  or  prints  the  conditions  where a  user  profile  has
successfully  signed on  after one  or more  invalid password attempts.
This provides a good  review of authorized users  who may be trying  to
discover a password of another profile.

For example,  a user could know that  he gets 3 tries  to signon before
his  device  and/or profile  is  disabled.   He could  try  a different
profile for the first  2 tries and attempt to  guess the password.   On
the  3rd try  he  would  enter his  own  profile  and password  and  be
successfully signed on.

There are 2 choices for operating on QHST:

  **   If  you are using  the DSPQHST2 tool,  CVTQHST2 must be  used to
       convert QHST.  After CVTQHST2 is used, specify:

             DSPPWDLMT2  LIB(xxx)

  **   If you are not  using DSPQHST2, you must  first use the  CVTQHST
       command to  convert the QHST  log to the  QHSTP file in  a named
       library such as:

             CVTQHST    QHSTFILE(*ALL) QHSTPLIB(xxx)
                           FROMDATE(*TODAY)

       This converts all QHST messages for the current date.

       The DSPPWDLMT2 command may then be used:

             DSPPWDLMT2  LIB(xxx)

The  DSPPWDLMT2 USRPRF  parameter  defaults  to *ALL  meaning  all user
profiles  that have a  password.  Instead  of *ALL, you  may list up to
100 user  profiles which  you consider  security sensitive  and have  a
password.   The system  does not provide  a message in  QHST if  a user
attempts to signon to a user profile that does not have a password.

If  a CPF2234 message (invalid password)  exists, the profile attempted
to be signed onto  is checked against the  list supplied in the  USRPRF
parameter.    If  USRPRF(*ALL)  or  a  match  is  found  and  the  user
subsequently  signs  on  to  a  valid  user  profile, the  signed  onto
profile is listed  along with the  attempts made to  the user  profiles
identified in the USRPRF parameter.

Both type of QHST processing produce similar output.

An option  exists to bypass  the conditions where  the user entered  an
invalid  password (eg  transposed some  characters) and  then correctly
signed  onto  the  same user  profile.    This will  avoid  some normal
amount of clutter in the listing.

Differences with DSPPWDLMT
--------------------------

DSPPWDLMT lists  the  devices  and/or  users that  have  been  disabled
because the QMAXSIGN value has been exceeded.

DSPPWDLMT2 lists  the users who  have successfully signed on  after one
or  more   invalid  password  attempts  for  a  user  profile  that  is
specified in the USRPRF list.

Processing considerations
-------------------------

The DSPPWDLMT2  function  searches  for  the CPF2234  message  ID  that
describes that an  invalid password has been entered.   The information
about the device and user profile are stored in internal arrays.

If  the CPF1397 message appears,  the device has  been disabled (varied
off) and the condition is not noted.

If the  CPF1393 message  appears, the  user profile  has been  disabled
and the condition is not noted.

Both conditions are possible if the QMAXSGNACN system value is '3'.

If a  CPF1124 (job start)  message appears for  the same device  that a
CPF2234 message  was sent for,  the job and user  information is listed
along with the attempted signons.

The  internal entries are  reset following printing  or if the CPF1397,
CPF1393, or CPF1124 message appears.

All  array  entries  are  reset  if  the  CPF0993   message  (start  of
controlling subsystem) appears.

DSPPWDLMT2 escape messages you can monitor for
----------------------------------------------

None.  Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   TYPE          The type of converted QHST file you are using.

                 *QHST should  be entered if  you have used  CVTQHST to
                 create a QHSTP file in a named library.

                 *QHST2  should be  entered if  you have  used CVTQHST2
                 to create a QHST2 file in a named library.

   LIB           The  library  containing  the  QHSTP  file  that   was
                 created  by  CVTQHST  or the  QHST2  file  created  by
                 CVTQHST2.   The  TYPE parameter determines  which file
                 must exist.

   USRPRF        A list of up  to 100 user  profiles that you  consider
                 security sensitive.    *ALL is  the default  and is  a
                 good choice in most situations.

                 If an  invalid password which is attempted  to be used
                 is  in the  list, and  a user  follows by successfully
                 signing  onto  a   profile,  the  condition  will   be
                 listed.

   OPTION        An  option   to  determine  whether   to  include  the
                 conditions   where  the  user   entered  one  or  more
                 invalid  passwords  for  a   user  profile  and   then
                 successfully signed onto the same profile.

                 *ALL is the  default to list all  conditions (none are
                 bypassed).

                 *DIFPRF  may be entered to  list only those conditions
                 where the user  had one  or more  invalid attempts  to
                 signon and then  successfully signed onto  a different
                 user profile.

   FROMDATE      The  date and  time of  the first  QHST message  to be
                 considered.   The default  is *FIRST to  use the first
                 QHST message in the file.

                 The special  value  *CURRENT may  be  entered to  mean
                 today's date.

                 A specific date  may be entered in job  format.  If no
                 date is entered, a date of Jan 1, 1940 is used.

                 A  specific time may be entered  in HHMMSS format.  If
                 no time is entered, a time of 000000 is used.

   TODATE        The  date  and  time  of   the  last  message  to   be
                 considered.  The  default is *LAST to  use the current
                 date and the last message in the file.

                 A specific  date may be entered in  job format.  If no
                 date is entered, the current date is used.

                 A specific time may be  entered in HHMMSS format.   If
                 no time is entered, a time of 235959 is used.

   OUTPUT        How  to output  the  results.   *  is the  default  to
                 display  the spooled  file if  the command  is entered
                 interactively.   The spooled file  is deleted after it
                 is displayed.

                 If the  command  is  entered  in batch  or  *PRINT  is
                 specified,  the spooled file  is output  and retained.

Restrictions
------------

There  is a  limit  of 25  user profile  names that  may be  stored per
device until reset by printing or a successful signon.

There is a  limit of  9999 devices that  may be stored  until reset  by
printing or a successful signon.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKOBJ3         Check object 3
     CVTTIM          Convert time
     DSPPWDLMT       Display password limit
     EDTVAR          Edit variable
     RSNLSTMSG       Resend last message
     RTVDAT          Retrieve date
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPPWDLMT2    *CMD                   TAASEGT       QATTCMD
   TAASEGTC      *PGM       CLP         TAASEGTC      QATTCL
   TAASEGTR      *PGM       RPG         TAASEGTR      QATTRPG
   TAASEGTR2     *PGM       RPG         TAASEGTR2     QATTRPG

TAASEGTR reads the QHSTP file from CVTQHST.

TAASEGTR2 reads the QHST2 file from CVTQHST2.

Added to TAA Productivity tools January 1, 2007

Home Page

Up to Top