Checklists for security auditing

Use this checklist to plan and audit system security.

As you plan security, choose the items from the list that meet your security requirements. When you audit the security of your system, use the list to evaluate the controls you have in place and to determine if additional controls are needed. The list contains brief descriptions of how to do each item and how to monitor that it has been done.

Table 1. Security Auditing Planning Form
Security Auditing Planning Form
Prepared by: Date:
Monitoring physical security:
Is backup media protected from damage and theft?  
Is access to workstations in public areas restricted? Use the DSPOBJAUT command to see who has *CHANGE authority to the workstations.  
Monitoring system values:
Verify that the settings for system values match your System Values Selection form. Use the Print System Security Attributes (PRTSYSSECA) command.  
Review your decisions about system values, particularly when you install new applications. Have any system values changed?  
Monitoring group profiles:  
Verify that group profiles have no passwords. Use the DSPAUTUSR command to verify that all group profiles have a password of *NONE.  
Verify that the correct people are members of the group. Use the DSPUSRPRF command with the *GRPMBR option to list the members of a group.  
Check the special authorities for each group profile. Use the DSPUSRPRF command. If you are running at security level 30, 40, or 50, group profiles should not have *ALLOBJ authority.  
Monitoring user profiles:
Verify that user profiles on the system belong to one of these categories:
  • User profiles for current employees
  • Group profiles
  • Application owner profiles
  • IBM-supplied profiles (start with Q)
 
Remove their user profile when the company transfers a user or when a user leaves the company. Use the Change Expiration Schedule Entry (CHGEXPSCDE) command to automatically delete or disable the profile as soon as the user leaves.  
Look for inactive profiles and remove them. Use the Analyze Profile Activity (ANZPRFACT) command to automatically disable profiles after they have been inactive for a certain time.  
Determine which users have a password that is the same as their user profile name. Use the Analyze Default Passwords (ANZDFTPWD) command. Use the option of this command to force users to change their passwords the next time they sign on to the system.
Attention: Do not remove any IBM-supplied profiles from the system. IBM-supplied profiles start with the character Q.
 
Be aware of who has a user class other than *USER and why. Use the Print User Profile (PRTUSRPRF) command to get a list of all users, their user class, and their special authorities. Match this information with your System Responsibilities form.  
Control which user profiles have the Limit capabilities field set to *NO.  
Monitoring critical objects:
Review who has access to critical objects. Use the Print Private Authorities (PRTPVTAUT) command and the Print Publicly Authorized Objects (PRTPUBAUT) command to monitor objects. If a group has access, verify the members of the group with the *GRPMBR option of the DSPUSRPRF command.  
Verify who can use application programs that provide access to objects through another security method, such as adopted authority. Use the Print Adopting Objects (PRTADPOBJ) command.  
Monitoring unauthorized access:
Instruct system operators to be alert for security messages in the QSYSOPR message queue. In particular, have them notify a security officer of repeated unsuccessful attempts to sign on. Security messages are in the range of 2200 to 22FF and 4A00 to 4AFF. They have prefixes CPF, CPI, CPC, and CPD.  
Set up security auditing to log unauthorized attempts to access objects.  

For additional information on using the security auditing checklist, see Chapter 9 of the iSeries™ Security Reference.