The AS/400 keeps a history log in QSYS/QHST, a message queue (*MSGQ) object. When it becomes full, OS/400 creates a *FILE object in QSYS whose name begins with QHST, copies the contents of the history log and clears the log.
On our system, these files were created with public authority of *EXCLUDE during Version 1 of OS/400. When we upgraded to V2R1M0, we found that the system history files were created with public authority of *LIBCRTAUT, which generally became *CHANGE for our clients.
This was unacceptable because it permitted anyone with a command line and authority to the right commands to write HLL programs to alter the system history files. Changing QSYS's CRTAUT parameter to *EXCLUDE wouldn't help because it would affect message queues, communications objects and other libraries by giving the public *EXCLUDE authority.
I ran into resistance from Level 2 and the developers. It seemed that they didn't want to change this. After discussing the problem with our local branch, several PTFs magically became available. Here are the numbers for the security conscious:
V2R1M0: SF11409 V2R1M1: SF11347 V2R2M0: SF11348
As of this writing, I don't believe these PTFs are on a cumulative PTF package. I recommend that the PTF be applied and authority removed from system history files already created with *CHANGE. Make sure the PTF is applied before correcting the current files. The command is:
RVKOBJAUT OBJ(QSYS/QHST*) + OBJTYPE(*FILE) + USER(*PUBLIC) + AUT(*ALL)