Can we rename QSECOFR user id.(Auditors requirement)

1160 pts.
Tags:
AS/400
OS/400
Can we rename QSECOFR user id.(Auditors requirement)

Software/Hardware used:
as400, cl400, v6r1,i750

Answer Wiki

Thanks. We'll let you know when a new response is added.

I agree with Tom

In the meantime, where are they see QSECOFR user profile?
You can create a new user profile with the same authorities as QSECOFR and use that instead of QSECOFR.

Generally auditors like QSECOFR and just want to know who knows the password and is authorized to use it.

Discuss This Question: 10  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • TomLiotta
    Can we rename QSECOFR user id. No. Nor can you remove any of its authorities. (Auditors requirement) You need new auditors. They don't know how to audit your system if that's a "requirement". Tom
    125,585 pointsBadges:
    report
  • Rickmcd
    As a matter of fact, you cannot rename any User profiles. I agree with the rest of the comments. best way to satisy Audit requirements for QSECOFR is to not use and have diabled with password secured in a secure environment with only Security officer having access. Use a duplicate of QSECOFR as a different profile with same authorities for the Security officer to Use on a daily basis if needed.
    1,595 pointsBadges:
    report
  • WoodEngineer
    You can add another lever of security to QSECOFR by this system value: System value . . . . . : QLMTSECOFR Description . . . . . : Limit security officer device access I agree with Tom, you need new auditors - someone who better understands the iSeries.
    6,345 pointsBadges:
    report
  • jinteik
    you will need qsecofr to do some of the task on as400. and nope you cannot rename qsecofr.
    17,370 pointsBadges:
    report
  • ITSTANLE
    Make sure you copy QSECOFR before you delete it. Rmember when you upgrade your operating software, it will come back.
    55 pointsBadges:
    report
  • Splat
    If you do delete QSECOFR, will you please post a brief description of what happens? It should make for an interesting cautionary tale.
    6,855 pointsBadges:
    report
  • ToddN2000
    BE CAREFUL what ever you do.. One time we had the QSECOFR password changed before a long holiday weekend and when operations got back on Monday they could not remember it. Three wrong tries later it was disabled and device was varied off.. As we did not have another profile with *IOSYSCFG authority we were kind of dead in the water if a problem happened. We could not use the service tools to resolve the issue either.The resoulution was a call to IBM and after about 6 hours of their work we finally got it back. IBM set up a back door just incase it happens again. It shouldn't as we have better methods for tracking password changes now.
    8,335 pointsBadges:
    report
  • TomLiotta
    ...will you please post a brief description of what happens? I'd be most interested in the result of the next OS upgrade attempt. Especially the first needed step -- 'Sign on as QSECOFR'. Tom
    125,585 pointsBadges:
    report
  • Steven Spencer
    Hi, Why be hard on the auditors ? Look at the good suggestions we got here to limit QSECOFR and to work around the question, using a less well known name for the actual master-power signon. The auditors likely simply felt that one vector of defense in the dual name-password defense system was missing. Very sensible. The IT pros here were very sharp, however they were a little unfair, or even arrogrant, in attacking the auditor-messengers. My thoughts on the matter. Steven Spencer Bayside, NY
    20 pointsBadges:
    report
  • TomLiotta
    Why be hard on the auditors ? Criticism of auditors is solely based on an assumption that it was in fact a "requirement". If it is a "requirement" to rename QSECOFR, which cannot be done, then it's clear evidence of a strong lack of understanding the platform. How can any audit be trusted if it can be demonstrated that the knowledge of the auditor is critically low? Even if it were only a recommendation, it still indicates a lack. If a platform is not understood, how can it be appropriately audited? How can an auditor's report be relied upon to flag true vulnerabilities? Security and compliance can be critical to the life of a business. By emphasizing elements that might be appropriate for Windows or Unix, the potential vulnerabilities in a System i-based site might be missed entirely. The result can be a site that is neither secure nor compliant. Auditors should not simply use a generic, platform-neutral checklist. That doesn't suit any platform that they might be contracted to review. External auditors are professionals, and as such can incur liabilities for their results. Internal auditors need not be professionals, but business executives who rely on them may be putting themselves at risk. Participants in this forum can have careers that are negatively impacted by faulty audits. These people are the ones who should be addressed by comments because that goes straight to the purpose of this site. Pointing out a flaw in an audit (that is, in a "requirement") in an emphatic manner might be the only method of generating some push-back the raises the level of knowledge. This platform has been around for almost a quarter of a century. Yet we still see one of the most fundamental elements radically misunderstood. Actually, "we" see a number of troubling elements. For a small sample see the The State of IBM i Security Study 2010. As with most "white papers", it's a bit of pain to request and it has a kind of advertising as an ulterior motive; but the numbers are accurate. {Disclaimer: I am employed by PowerTech and created many parts of the software that gathered the statistics. The white paper is recreated yearly using only data from those organizations that consent to being part of the aggregate numbers. Actual numbers may be "less encouraging" than those reported simply because most decline to be included even merely as part of an aggregate. You might be startled at some the really wild ones.} When auditors offer unrealistic "requirements", who can blame those who are audited? Is a couple decades not long enough? Tom
    125,585 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following