PRTSECAUD -- Print Security Audit

PRTSECAUD PRINT SECURITY AUDIT TAASECO
The Print Security Audit command is intended for the Security Officer or Auditor to make a review of the important security aspects of the system. You must have (or adopt) ALLOBJ authority and you must have SECADM authority to use PRTSECAUD. A typical command is entered as: PRTSECAUD The command provides spooled output which includes: A summary of the major system characteristics The major security system values The network attributes related to security Profile names that are eligible to signon, but have not done so in the last N days (default is 90 days) Profiles that use the profile name as the password A summary of all the system and user profiles Storage owned by QDFTOWN Last save/restore information for user profiles ** User profiles with a high degree of authority (e.g. ALLOBJ, SERVICE) and those profiles that are members of a group with this authority ** Profiles that are specified as LMTCPB(NO) * Libraries on the system portion of the library list (QSYSLIBL system value) and the authorizations to the libraries. Security tips WRKSYSVAL output (default to Security system values) DSPSECRVW basic listing (TAA Tool) one line per user DSPAUTUSR group profile listing (listing by group) same name as the password. The output includes suggestions as to how to cleanup some of the items found. It also describes other TAA Tools which may be useful in a security audit. Command parameters CMD ------------------ LASTSGNDAT The number of days to be used to check if any user profiles that are eligible to signon have not done so. The default is 90. SYSVALUES Whether to print the system values with WRKSYSVAL to the spooled file QSYSPRT. The default is SECURITY which prints just the security system values. ALL prints all the system values. NONE avoids any output. DSPSECRVW Whether to print a listing of all user profiles using the TAA Tool DSPSECRVW. This is a basic listing with one line per user profile and several columns of information. YES is the default. The output is to the spooled file USRPRF. DSPAUTUSR Whether to use the DSPAUTUSR system command with SEQ(GRPPRF) specified. The default is YES. This provides a listing by group. The output is to the spooled file QPAUTUSR. CHKSAMPWD Whether to check the profiles to see if the password is the same as the profile name. The default is YES. YES causes the system ANZDFTPWD command to be run and makes a separate listing. ANZDFTPWD does not cause any change to the internal count of invalid passwords entered. NO avoids the ANZDFTPWD command. Restrictions ------------ You must have (or adopt) ALLOBJ authority and you must have SECADM authority to use PRTSECAUD. Prerequisites ------------- The following TAA Tools must be on your system: ADDDAT Add date ALCTMPMBR Allocate temporary member CVTSYSSTS Convert system status DSPSECRVW Display security review RPGSTSDS RPG status data structure RTVRELID Retrieve release ID RTVSPCAUT Retrieve special authority SNDCOMPMSG Send completion message SNDESCMSG Send escape message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- PRTSECAUD CMD TAASECO QATTCMD TAASECOC PGM CLP TAASECOC QATTCL TAASECOC2 PGM CLP TAASECOC2 QATTCL TAASECOR PGM RPG TAASECOR QATTRPG Structure --------- PRTSECAUD CMD TAASECOC CLP TAASECOR RPG TAASECOC2 CLP

PRTSECAUD       PRINT SECURITY AUDIT                   TAASECO


The Print Security Audit  command is intended for the  Security Officer
or Auditor  to make a review  of the important security  aspects of the
system.

You  must have (or  adopt) *ALLOBJ authority and  you must have *SECADM
authority to use PRTSECAUD.

A typical command is entered as:

           PRTSECAUD

The command provides spooled output which includes:

  **   A summary of the major system characteristics

  **   The major security system values

  **   The network attributes related to security

  **   Profile names  that are eligible  to signon,  but have not  done
       so in the last N days (default is 90 days)

  **   Profiles that use the profile name as the password

  **   A summary of all the system and user profiles

  **   Storage owned by QDFTOWN

  **   Last save/restore information for user profiles

  **   User profiles  with a high  degree of authority (e.g.   *ALLOBJ,
       *SERVICE)  and those profiles  that are members of  a group with
       this authority

  **   Profiles that are specified as LMTCPB(*NO)

  **   Libraries on the  system portion of  the library list  (QSYSLIBL
       system value) and the authorizations to the libraries.

  **   Security tips

  **   WRKSYSVAL output (default to Security system values)

  **   DSPSECRVW basic listing (TAA Tool) one line per user

  **   DSPAUTUSR group  profile listing  (listing by  group) same  name
       as the password.

The  output  includes suggestions  as to  how  to cleanup  some  of the
items found.   It also describes  other TAA Tools which  may be  useful
in a security audit.

Command parameters                                    *CMD
------------------

   LASTSGNDAT    The number  of days to  be used to  check if any  user
                 profiles  that are  eligible to  signon have  not done
                 so.  The default is 90.

   SYSVALUES     Whether  to print the system  values with WRKSYSVAL to
                 the spooled  file QSYSPRT.   The default is  *SECURITY
                 which prints  just the  security system values.   *ALL
                 prints  all  the  system  values.    *NONE avoids  any
                 output.

   DSPSECRVW     Whether to  print  a  listing  of  all  user  profiles
                 using  the  TAA  Tool  DSPSECRVW.   This  is  a  basic
                 listing  with one  line per  user profile  and several
                 columns of information.   *YES  is the  default.   The
                 output is to the spooled file USRPRF.

   DSPAUTUSR     Whether  to  use the  DSPAUTUSR  system  command  with
                 SEQ(*GRPPRF)  specified.  The  default is *YES.   This
                 provides  a listing  by group.   The output  is to the
                 spooled file QPAUTUSR.

   CHKSAMPWD     Whether to check the  profiles to see if the  password
                 is  the same  as the  profile  name.   The default  is
                 *YES.   *YES  causes the  system ANZDFTPWD  command to
                 be run and makes a  separate listing.  ANZDFTPWD  does
                 not  cause  any  change   to  the  internal  count  of
                 invalid passwords entered.

                 *NO avoids the ANZDFTPWD command.

Restrictions
------------

You  must have (or adopt)  *ALLOBJ authority and you  must have *SECADM
authority to use PRTSECAUD.

Prerequisites
-------------

The following TAA Tools must be on your system:

     ADDDAT       Add date
     ALCTMPMBR    Allocate temporary member
     CVTSYSSTS    Convert system status
     DSPSECRVW    Display security review
     RPGSTSDS     RPG status data structure
     RTVRELID     Retrieve release ID
     RTVSPCAUT    Retrieve special authority
     SNDCOMPMSG   Send completion message
     SNDESCMSG    Send escape message
     SNDSTSMSG    Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   PRTSECAUD     *CMD                   TAASECO       QATTCMD
   TAASECOC      *PGM       CLP         TAASECOC      QATTCL
   TAASECOC2     *PGM       CLP         TAASECOC2     QATTCL
   TAASECOR      *PGM       RPG         TAASECOR      QATTRPG

Structure
---------

PRTSECAUD      *CMD
   TAASECOC      *CLP
     TAASECOR       *RPG
        TAASECOC2      *CLP

Added to TAA Productivity tools April 1, 1995

Home Page

Up to Top