Locked system values

If you decide to lock the security related system values, a user is prevented from changing the following values:

– Default auditing for newly created objects, QCRTOBJAUD

– Number of journal entries written to the security audit journal before the entry data is forced to auxiliary storage, QAUDFRCLVL

 Device system values

– Local controllers and devices, QAUTOCFG – Pass-through devices and Telnet, QAUTOVRT

– Action to take when a device error occurs, QDEVRCYACN – Remote controllers and devices, QAUTORMT

 Jobs system values

– Time-out interval, QDSCJOBITV

– When a job reaches time-out, QINACTMSGQ

– Allow jobs to be interrupted to run user-defined exit programs, QALWJOBITP

– Require a new character in each position, QPWDPOSDIF – Require at least one digit, QPWDRQDDGT

– Password reuse cycle, QPWDRQDDIF

– Password validation program, QPWDVLDPGM

 Messages and service system values

– Allow remote service of system, QRMTSRVATR

 Restore system values

– Verify object signatures on restore, QVFYOBJRST – Convert objects during restore, QFRCCVNRST

– Allow restore of security sensitive objects, QALWOBJRST

 Security system values

– Security level, QSECURITY

– Allow system security information to be retained, QRETSVRSEC

– Users who can work with programs with adopted authority, QUSEADPAUT – Default authority for newly created objects in QSYS.LIB file system,

QCRTAUT

– Allow use of shared or mapped memory with write capability, QSHRMEMCTL

– Allow user domain objects in libraries, QALWUSRDMN – Scan a file system, QSCANFS

– Scan file system control, QSCANFSCTL

 Sign-on system values

– Use pass-through or Telnet for remote sign-on, QRMTSIGN – Display sign-on information, QDSPSGNINF

– Restrict privileged users to specific device session, QLMTSECOFR – Limit each user to one device session, QLMTDEVSSN

– Maximum incorrect sign-on attempts, QMAXSIGN – Action when maximum is reached, QMAXSGNACN

4.1.4 Network attributes

Network attributes control how your system participates, or chooses not to participate, in a network with other systems. You can read more about network attributes in iSeries Security Reference, SC41-5302.

i5/OS has a set of security-based network attributes. Only the i5/OS CL commands of Display Network Attributes (DSPNETA) and Change Network Attributes (CHGNETA) can directly access these attributes. Many of these attribute values are for a Systems Network Architecture (SNA)-based network.

Security-related network attributes that also apply to a TCP/IP-based network include:

 Job action (JOBACN): Specifies how your system processes incoming requests to run jobs

 DDM/DRDA request access (DDMACC): Specifies the security options when a remote system requests access to a file on the local system

 Client Access Express request (PCSACC): Specifies the security options when a remote client workstation requests access to the local system

 Allow Add To Cluster (ALWADDCLU): Specifies whether to allow this system to be part of a System i cluster definition; is used to enhance application availability

How you set these network attributes depends on your security policy. If you do not have a security policy, you do not know the rules with which you must comply.

4.1.5 Work management elements

Work management elements determine how work enters the system and the environment on which the work runs. In the following sections, we describe the work management elements:

Work management supports the commands and operating system functions that are necessary to control system operations and the daily workload on the system. All the work done on the system is submitted though the work

management functions. When i5/OS is installed, it includes a work management environment that supports interactive, batch, and communications jobs. The operating system can be tailored to create an individual, user-defined work management environment.

For complete information about work management topics, see the iSeries Information Center at the following Web address and select the path Systems management→ Work management→ Concepts:

http://publib.boulder.ibm.com/infocenter/iseries/v5r4/index.jsp

Jobs

The System i platform uses the term job to refer to your terminal session as well as any batch jobs or system jobs that may be running on the system. Five types of jobs are relevant to security:

 Interactive job: An interactive job is started when a user signs on to a terminal session. The terminal session itself is called an interactive job. The user is identified to the system with a user profile, and the authentication is tested through password checking.

 Batch job: Several methods exist for submitting batch jobs and for specifying the objects used by the job. Authority is checked for the user profile and objects that are needed to run the batch job.

 Communications job: A communications job is started when another system issues a request over a communications line. Many techniques are available to control the attachment of a proper user profile to that job.

 Autostart job: The autostart job is started automatically when a subsystem is started. It requires a job description to identify the user profile for the job. An autostart job can be used to perform some operations on a routine basis.

 Prestart job: You can use prestart job entries to make a subsystem ready for certain kinds of jobs so that the jobs start more quickly. Prestart jobs may start when the subsystem starts or when they are needed. Make sure that prestart job entries perform only authorized, intended functions.