AS/400 auditing security

365 pts.
Tags:
AS/400
AS/400 security
Hi, everyone. How can I know if a user profile has authority to modify auditing security in AS/400?

Software/Hardware used:
AS/400

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • TheRealRaven
    The user profile will have SPCAUT( *AUDIT ) as a minimum requirement.

    And on at least some systems, audit system values will be restricted from any changes at all; a SST or DST profile will be needed to unlock access. The SST/DST profile will need to be authorized to do the unlock action.
    21,845 pointsBadges:
    report
  • srithea

    @TheRealRaven

    what is SST or DST profile?

    365 pointsBadges:
    report
  • srithea

    @TheRealRaven

    Does it mean that only those IBM supplied user profiles and the user profile with *SERVICE special authority that can deactive the auditting service to make the modification and deletion possible?

    365 pointsBadges:
    report
  • TheRealRaven
    SST = System Service Tools, and DST = Dedicated Service Tools

    They are essentially unrelated to IBM supplied user profiles. The do require SPCAUT( *SERVICE ) to access, but they also require a different kind of 'profile' that is defined only within service tools and that has an unrelated password.
    21,845 pointsBadges:
    report
  • srithea

    @TheRealRaven

    can you provide me any links for the detail information about this (... different kind of 'profile' that is defined only within service tools...'? because when I read iSeries Security Reference, it only indicates some IBM-supllied DST profiles like QSECOFR, QSYS, 22222222, 11111111.

    365 pointsBadges:
    report
  • srithea
    to make it short, if a user profile doesn't have the SPCAUT(*SERVICE), that profile can't unlock the audit action. right?
    365 pointsBadges:
    report
  • TheRealRaven
    "IBM-suppllied DST profile" are not the same as "IBM supplied user profiles".A user profile is a *USRPRF object; a SST/DST profile is not. Try running this command:

    DSPUSRPRF USRPRF(22222222)
    It doesn't exist as a *USRPRF object and in fact can't exist since it's not a valid object name. (You could create a user profile that signs on as user 22222222.)

    The IBM-supplied DST profiles that you list are available by default on all new systems. In general, they should not be used except at IBM's direction. (However, the QSECOFR DST profile needs to used initially to create local DST profiles. The local DST profiles would then be used by you and others to perform service action.)

    And yes, without SPCAUT( *SERVICE ), a user cannot unlock audit system values. That's because unlocking can only be done inside service tools and
    SPCAUT( *SERVICE ) is required in order to enter service tools.
    21,845 pointsBadges:
    report
  • srithea

    Thank you very much.

    I have learned a lot from you.

    I'm not an system administrator or operator, but I wanna know particular parts of system security and review. and again I really appriate all your informative responses.

    Hope to see your response again in other parts of my AS400 question ^^

    365 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: