237 lines
13 KiB
HTML
237 lines
13 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Security level system value" />
|
|||
|
<meta name="abstract" content="This system value allows you to set the security level for the system." />
|
|||
|
<meta name="description" content="This system value allows you to set the security level for the system." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzamvgensecsysval.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="seclvl" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Security level system value</title>
|
|||
|
</head>
|
|||
|
<body id="seclvl"><a name="seclvl"><!-- --></a>
|
|||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Security level system value</h1>
|
|||
|
<div><p>This system value allows you to set the security level for the
|
|||
|
system.</p>
|
|||
|
<p>The system offers five different levels of security. Each of these levels
|
|||
|
of security provide specific security controls for the system. Depending on
|
|||
|
the decisions you made in the security policy, you can select a security level
|
|||
|
that you need. IBM<sup>®</sup> ships
|
|||
|
all new systems with the security level 40, which provides a high level of
|
|||
|
security that is necessary for most installations. It is not recommended that
|
|||
|
you change your security level on a new system lower that this value. </p>
|
|||
|
<p>Even though IBM recommends
|
|||
|
you keep systems at level 40, lower values are described to provide a function-by-function
|
|||
|
comparison between each security level.</p>
|
|||
|
|
|||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><caption>Table 1. Possible values for the security level
|
|||
|
system value. This table compares the different settings and the
|
|||
|
functions that the security level allows.</caption><thead align="left"><tr class="tablemainheader" valign="bottom"><th valign="bottom" width="24.873096446700508%" id="d0e34">Security level</th>
|
|||
|
<th valign="bottom" width="24.111675126903553%" id="d0e36">iSeries™ Navigator description</th>
|
|||
|
<th valign="bottom" width="25.380710659898476%" id="d0e40">Functions allowed </th>
|
|||
|
<th valign="bottom" width="25.63451776649746%" id="d0e42">Functions not allowed </th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr class="tablemainheader"><td valign="top" width="24.873096446700508%" headers="d0e34 ">10 (no security)<sup> 1</sup></td>
|
|||
|
<td valign="top" width="24.111675126903553%" headers="d0e36 ">No passwords are needed and users have authority
|
|||
|
to all resources</td>
|
|||
|
<td valign="top" width="25.380710659898476%" headers="d0e40 "><span>Provide users with *ALLOBJ access to
|
|||
|
all objects.</span></td>
|
|||
|
<td valign="top" width="25.63451776649746%" headers="d0e42 ">NA</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="24.873096446700508%" headers="d0e34 ">20 (low or relaxed security)</td>
|
|||
|
<td valign="top" width="24.111675126903553%" headers="d0e36 ">Passwords are required and users have authority
|
|||
|
to all resources</td>
|
|||
|
<td valign="top" width="25.380710659898476%" headers="d0e40 "><ul><li>Provides users with *ALLOBJ access to all objects.</li>
|
|||
|
<li>User name required to sign on.</li>
|
|||
|
<li>Password required to sign on.</li>
|
|||
|
<li>Password security active.</li>
|
|||
|
<li>Menu and initial program security active.</li>
|
|||
|
<li>Security auditing capabilities available.</li>
|
|||
|
<li>Programs that contain restricted instructions cannot be created or recompiled.</li>
|
|||
|
<li>*USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified
|
|||
|
in the QALWUSRDMN system value.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="25.63451776649746%" headers="d0e42 "><ul><li>Resource security active.</li>
|
|||
|
<li>User profile created automatically.</li>
|
|||
|
<li>Programs that use unsupported interfaces fail at run time.</li>
|
|||
|
<li>Enhanced hardware storage protection supported.</li>
|
|||
|
<li>Pointers used in parameters are validated for user domain programs running
|
|||
|
in system state.</li>
|
|||
|
<li>Message handling rules are enforced between system and user state programs.</li>
|
|||
|
<li>A program’s associated space cannot be directly modified.</li>
|
|||
|
<li>Internal control blocks are protected.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="24.873096446700508%" headers="d0e34 ">30 (medium or average security)</td>
|
|||
|
<td valign="top" width="24.111675126903553%" headers="d0e36 ">Passwords are required and users' access is based
|
|||
|
on their authority</td>
|
|||
|
<td valign="top" width="25.380710659898476%" headers="d0e40 "><ul><li>User name required to sign on.</li>
|
|||
|
<li>Password required to sign on.</li>
|
|||
|
<li>Password security active.</li>
|
|||
|
<li>Menu and initial program security active.</li>
|
|||
|
<li>Security auditing capabilities available.</li>
|
|||
|
<li>Programs that contain restricted instructions cannot be created or recompiled. </li>
|
|||
|
<li>*USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified
|
|||
|
in the QALWUSRDMN system value. </li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="25.63451776649746%" headers="d0e42 "><ul><li>Allow access to all objects.</li>
|
|||
|
<li>Resource security active.</li>
|
|||
|
<li>User profile created automatically.</li>
|
|||
|
<li>Programs that use unsupported interfaces fail at run time.</li>
|
|||
|
<li>Enhanced hardware storage protection supported.</li>
|
|||
|
<li>Pointers used in parameters are validated for user domain programs running
|
|||
|
in system state.</li>
|
|||
|
<li>Message handling rules are enforced between system and user state programs.</li>
|
|||
|
<li>A program’s associated space cannot be directly modified.</li>
|
|||
|
<li>Internal control blocks are protected.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="24.873096446700508%" headers="d0e34 ">40 (high or strict security) <sup>2</sup></td>
|
|||
|
<td valign="top" width="24.111675126903553%" headers="d0e36 ">Protect from undocumented system interfaces</td>
|
|||
|
<td valign="top" width="25.380710659898476%" headers="d0e40 "><ul><li>User name required to sign on.</li>
|
|||
|
<li>Password required to sign on.</li>
|
|||
|
<li>Password security active.</li>
|
|||
|
<li>Menu and initial program security active.</li>
|
|||
|
<li>Security auditing capabilities available.</li>
|
|||
|
<li>Programs that contain restricted instructions cannot be created or recompiled. </li>
|
|||
|
<li>*USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified
|
|||
|
in the QALWUSRDMN system value. </li>
|
|||
|
<li>Pointers used in parameters are validated for user domain.</li>
|
|||
|
<li>A program’s associated space cannot be directly modified. </li>
|
|||
|
<li>Internal control blocks are protected.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="25.63451776649746%" headers="d0e42 "><ul><li>Allow access to all objects.</li>
|
|||
|
<li>User profile created automatically.</li>
|
|||
|
<li>Message handling rules are enforced between system and user state programs. </li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" width="24.873096446700508%" headers="d0e34 ">50 (high or strict security) <sup>3</sup></td>
|
|||
|
<td valign="top" width="24.111675126903553%" headers="d0e36 ">Enhance protection of system interfaces</td>
|
|||
|
<td valign="top" width="25.380710659898476%" headers="d0e40 "><ul><li>User name required to sign on.</li>
|
|||
|
<li>Password required to sign on.</li>
|
|||
|
<li>Password security active.</li>
|
|||
|
<li>Menu and initial program security active.</li>
|
|||
|
<li>Security auditing capabilities available.</li>
|
|||
|
<li>Programs that contain restricted instructions cannot be created or recompiled.</li>
|
|||
|
<li>*USRSPC, *USRIDX, and *USRQ objects can be created only in libraries specified
|
|||
|
in the QALWUSRDMN system value.</li>
|
|||
|
<li>Pointers used in parameters are validated for user domain.</li>
|
|||
|
<li>A program’s associated space cannot be directly modified.</li>
|
|||
|
<li>Internal control blocks are protected.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
<td valign="top" width="25.63451776649746%" headers="d0e42 "><ul><li>Allow access to all objects.</li>
|
|||
|
<li>User profile created automatically.</li>
|
|||
|
</ul>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td colspan="4" valign="top" headers="d0e34 d0e36 d0e40 d0e42 "><ol><li>Security level 10 is no longer supported. If you change from security
|
|||
|
level 10 to 20, 30, 40 or 50, you will not be able to change it back to level
|
|||
|
10.</li>
|
|||
|
<li>IBM ships
|
|||
|
all new systems with a security level of 40. IBM strongly recommends that you leave the
|
|||
|
security level set to 40.</li>
|
|||
|
<li>At security level 50, no system internal control blocks can be modified.
|
|||
|
In comparison some system internal control blocks can be modified at security
|
|||
|
level 40.</li>
|
|||
|
</ol>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
<p><span class="uicontrol">Relationship to your security policy</span></p>
|
|||
|
<div class="p">In your security policy, you try to maintain a balance between protecting
|
|||
|
your assets, user access, and system performance. If the system contains highly
|
|||
|
confidential material or information that would seriously compromise your
|
|||
|
business if it was lost or stolen, that system would require a higher security
|
|||
|
level than a system that contains less sensitive information. In addition,
|
|||
|
you may have a system that is connected to an insecure network, such as the
|
|||
|
Internet and could be potentially targeted for an attack. These systems also
|
|||
|
need a higher security level to protect them. <div class="note"><span class="notetitle">Note:</span> Security level alone does
|
|||
|
not protect systems connected to insecure networks from attack. If you are
|
|||
|
planning to connect to the Internet or any other insecure network, you need
|
|||
|
analyze the risks not only to your system but also your entire network. </div>
|
|||
|
</div>
|
|||
|
<div class="p">
|
|||
|
<div class="tablenoborder"><a name="seclvl__quickref"><!-- --></a><table cellpadding="4" cellspacing="0" summary="" id="seclvl__quickref" frame="border" border="1" rules="all"><caption>Table 2. Quick reference. Provides
|
|||
|
details for the security level system value.</caption><thead align="left"><tr valign="bottom"><th valign="bottom" id="d0e244">iSeries Navigator name</th>
|
|||
|
<th valign="bottom" id="d0e248">Security level</th>
|
|||
|
</tr>
|
|||
|
</thead>
|
|||
|
<tbody><tr><td valign="top" headers="d0e244 ">Character-based interface name</td>
|
|||
|
<td valign="top" headers="d0e248 ">QSECURITY</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">Authority</td>
|
|||
|
<td valign="top" headers="d0e248 "><p>All object (*ALLOBJ)<br />
|
|||
|
Security administrator (*SECADM)</p>
|
|||
|
<div class="note"><span class="notetitle">Note:</span> The Security Officer (QSECOFR) user profile is shipped with
|
|||
|
these authorities. </div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">How to access</td>
|
|||
|
<td valign="top" headers="d0e248 "><div class="p"><strong>iSeries Navigator</strong><ol><li>Expand <span class="menucascade"><span class="uicontrol">Security</span> > <span class="uicontrol">Policies</span></span>.</li>
|
|||
|
<li>Right click <span class="uicontrol">Security Policy</span> and select <span class="uicontrol">Properties</span>.</li>
|
|||
|
<li>On the <span class="uicontrol">General</span> page, you will find the options
|
|||
|
for security level.</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
<div class="p"><span class="uicontrol">Character-based interface</span><ol><li>In the character-based interface, type <samp class="codeph">WRKSYSVAL QSECURITY</samp>.</li>
|
|||
|
</ol>
|
|||
|
</div>
|
|||
|
</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">Changes take effect</td>
|
|||
|
<td valign="top" headers="d0e248 ">At next restart of the server</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">Default value</td>
|
|||
|
<td valign="top" headers="d0e248 ">40 (Protect from undocumented system interfaces)</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">Recommended values</td>
|
|||
|
<td valign="top" headers="d0e248 ">40 (Protect from undocumented system interfaces)</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 "><a href="rzamvlockdown.htm">Lockable</a></td>
|
|||
|
<td valign="top" headers="d0e248 ">Yes</td>
|
|||
|
</tr>
|
|||
|
<tr><td valign="top" headers="d0e244 ">Special considerations</td>
|
|||
|
<td valign="top" headers="d0e248 ">If you change from security level 10 to 20, 30, 40 or
|
|||
|
50, you will not be able to change back to level 10. </td>
|
|||
|
</tr>
|
|||
|
</tbody>
|
|||
|
</table>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<p>For more detailed information about this security value, see Chapter 3,
|
|||
|
"Security System Values" in <a href="../books/sc415302.pdf" target="_blank">Security Reference</a>.</p>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzamvgensecsysval.htm" title="General security system values provide the cornerstone for your security policy.">General security system values</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
</body>
|
|||
|
</html>
|