Question: If a user profile is notused for an extended time, we disable the user profile to prevent sign-on. Is there a difference between setting the password to *NONE and setting the status to *DISABLED? Is there any advantage to doing both?
Answer: Either PASSWORD(*NONE) or STATUS(*DISABLED) will prevent a user profile from signing on to the AS/400. There is no advantage to setting both options.
I recommend setting PASSWORD (*NONE) rather than STATUS(*DISABLED) to prevent a user sign-on. A user profile can be disabled for other reasons, such as repeated password failures, so I know that when the password is *NONE, then a security officer explicitly prevented the user profile sign-on. The Change Activation Schedule (CHGACTSCD) command limits the time of day when a user profile can sign on and will change the user profile status field.
Question: Our internal audit department has requested that we save the job log for security officers. Are there any tools to automate the review of job logs?
Answer: The intent of the job log is to assist in problem determination when an application fails, by providing a record of commands entered and the associated error messages. The job log is not intended to provide an audit trail of user actions. Because the job log contains a list of the commands entered, many installations attempt to implement a poor man's audit by saving the job log for powerful users. I am not aware of any tools to automate the review of job logs.
The job log is not secure from tampering. Users determined to hide their actions can modify the contents of the job log, set the logging level not to record activity, or delete the spooled files.
The audit journal is superior to the job log as a method to record the actions of users. You can set the user profile AUDLVL to *CMD and record every command the user enters, including commands issued from responses to menus. The entries in the audit journal cannot be modified. Automated tools can create reports from the audit journal.
When I speak professionally, I often get questions about comparing the audit journal, job log, and history log as an audit tool. Figure 1 compares some of the features of the audit journal, job log, and history log. The audit journal has excellent integrity, requires almost no overhead to write the audit data, and has superior data collection and reporting characteristics over either the job lob or history log.
Question: In your article "Security Audit Checklist" (MC, July 1997), you mentioned the system value QAUTOVRT to limit the number of attempts to guess passwords. How does the setting of this system value relate to the system value QMAXSGNACN?
Answer: The system value QAUTOVRT determines the number of virtual terminals that can be created. The maximum number of virtual terminals is important when the system value QMAXSGNACN=1. Setting the system value QMAXSGNACN=1 instructs OS/400 to disable (vary off) the workstation when a user repeatedly enters an invalid password. Other options will also disable the user profile. The system value QMAXSIGN determines the number of attempts allowed before the system value QMAXSGNACN is used.
When the device is varied off, it effectively stops access from the workstation (local terminals only). However, if the user is accessing the AS/400 using TELNET or STRPASTHR from a remote location, the user is assigned a virtual terminal. If the virtual terminal is varied off because of excessive invalid password attempts, a hacker can simply acquire another virtual device and continue the guessing of user profile passwords. To prevent repeated attempts to guess the password of a user profile, the system value QMAXSGNACN should be set to 2 (disable profile) or 3 (disable device and profile) to disable the user profile and prevent further attempts to guess the user's password.
The following example illustrates the number of attempts to guess passwords. When the system values are set to QMAXSGN=3, QMAXSGNACN=1, and QAUTOVRT=75, a persistent hacker could attempt 3*75=225 times to guess the password.
If, however, the QMAXSGNACN=2 or 3, the user profile is disabled after exceeding the QMAXSIGN system value (three attempts), and future attempts to guess the password are prevented. The system value QAUTOVRT should be kept low because a hacker could still attempt to guess the password of different user profiles.
Wayne O. Evans is an AS/400 security consultant and a frequent speaker on security topics. During his 27 years with IBM Corporation, he was involved with AS/400 security design issues. Prior to working on security, Wayne worked on message handling and work management and was the team leader for the command definition and CL language on the S/38.