Security - Other
IBM i 6.1 and 7.1 gave us many new commands and functions, including Display Service Tools User ID (DSPSSTUSR), which is very useful and should be part of your regularly scheduled security audits.
System Service Tools (SST) accounts can perform moderate maintenance on your Power Systems and IBM i operating system. You can work with disk configuration and partitions, view the product activity log, and much more. Dedicated Service Tools (DST) require the system to be in manual mode and allow you access to additional functions, such as working with the Licensed Internal Code (LIC). The same accounts are set up to access both SST and DST. Ideally, you want to ensure that these Service Tools accounts are under the watchful eye of your most trusted administrators. Any oddities should be investigated.
In IBM i 5.4 and its predecessors, you had to physically log into Service Tools (SST or DST) to get information about your Service Tools accounts. Now, with the DSPSSTUSR command provided in 6.1, you can get this information quite quickly and bypass the Service Tools environment altogether.
This is a display-only command. Any changes to Service Tools accounts require you to actually log into Service Tools. As well, you need special authority *SECADM or *AUDIT in order to run DSPSSTUSR.
When you run DSPSSTUSR and prompt with your F4 key (see Figure 1), you can route the output to the screen, which is the default, or to a spooled file or an output file. In addition, you can specify specific Service Tools accounts to display (i.e., QSECOFR) or all accounts (*ALL is the default).
Figure 1: Route output to the screen, a spooled file, or an output file. (Click images to enlarge.)
Figure 2 shows the listing of Service Tools accounts, their status, their linked accounts, and their descriptions.
Figure 2: See a list of Service Tools accounts.
Figures 3, 4, and 5 show the details about a specific Service Tools account.
Figure 3: See password information.
Figure 4: View some sys admin details.
Figure 5: View more sys admin details.
This is quick and dirty at its finest. You can schedule to run this command each month or quarter so you can understand what service accounts are being created, when they're being used, and if they're being changed. DSPSSTUSR gives us administrators very valuable insight into our most precious accounts. In fact, it really doesn't get any simpler.