Following was contributed to AuditNet LLC by (Rey LeClerc) rey@mass-usa.

net AS400 Audit Program OBJECTIVES: To ensure that adequate security procedures have been established over the production control mechanism of AS/400 Note: This audit program addresses AS/400 version 3.0. The audit location's version and release of AS/400 should be determined prior to performing the audit steps below. This is verified by entering the following CL command: Go LICPGM; and select Option 10. If another version and/or release as AS/400 is being used, ascertain whether any substantial changes have been made that may affect these audit procedures. Make sure that these changes are addressed in the audit program and note them here, accordingly. A User-ID with either *ALLOBJ, *SECADM special authority or through program adoption (that has these authorities) is necessary to perform the AS/400 commands used in this audit program. 1. Security Environment a. Through discussion and review of the system, determine the level of security, network security, and the security architecture (e.g., Menu, Resource security or a combination of ) installed at this location. The active security level can be displayed by running the display system value CL command: DSPSYSVAL SYSVAL(QSECURITY) - If the security level is set to 10 (no security), ignore all audit steps. - If the security level is set to 20 (sign-on security only), perform audit steps # 1,2,4,5 and 6. - If the security level is set to 30 (sign-on and resource security), perform the audit steps listed below. The network security attributes can be displayed by running the display network attribute CL command: DSPNETA OUTPUT (*PRINT) 2. User Profiles Obtain a listing of all profiles listed on the system and perform the following audit steps: Abbreviated Listing: DSPAUTUSR SEQ(*GRPPRF) This CL command will list all user profiles and whether or not they belong to a group. Full Listing: DSPUSRPRF USRPRF(user-id) TYPE(*ALL) OUTPUT(*PRINT) DSPOBJD OBJ(*ALL) OBJTYPE(*USRPRF) OUTPUT(*PRINT) These CL commands will list the complete user profile and its job description.

a. Ascertain whether or not Menu Security is active for all users. - Review all profiles and ascertain that initial programs are specified and user capabilities have been limited (i.e. *LMTCPB). On a test basis, ascertain that the menu(s) does not include a command functions; and the user cannot break out of their predefined menu(s) via the ATTN key. Note: The standard commands, that a "limited capability" users are restricted to, can be changed by the QSECOFR user. Commands can either be removed or granted to the user. This is accomplished by using the ALWLMTUSR parameter of the CHGCMD CL command. b. Ensure that powerful user classes and special authorities are granted on a need-to-know basis. Specifically: User Classes *SECOFR *SECADM *PGMR *SYSOPR - Security Officer - Security Administrator Programmer - System Operator'

Special Authorities *ALLOBJ - Allows unlimited access to almost all objects *SECADM - Grants user profile administration rights. *SAVSYS - Allows system wide save and restore functions for all objects in the systems. *JOBCTL - Grants operator capabilities such as queue manipulation, general control over jobs, subsystems, IPL, etc. *SERVICE - Allows a user to perform service functions such as storage display, alter, and dump. *SPLCTL - Grants unlimited control over spool files, even for queues specified with OPRCTL(*NO) c. Ensure that password values for the IBM supplied profiles have been changed from their original (published) values. For example: IDs QSECOFR QPGMR QUSER QSYSOPR QSRVBAS QSRV Password QSECOFR QPGMR QUSER QSYSOPR QSRVBAS QSRV

d. Review the AS/400 sign-on security values and ascertain that the selected values provide adequate sign-on control. List system sign-on values by using the CL Display System Value command: DSPSYSVAL SYSVAL (name-of-value) To perform this test, complete the following: - List and review the AS/400 global system sign-on profile defined values. - Compare these global system sign-on values to values to the user the user profile

defined values. Please take note that there are some global system sign-on values that can be further tailored at the user level via the user profile parameter (e.g. Password expiration). Note: Perform this test for systems that are at level 20 and above only. Specifically, QPWEXPITV Controls the maximum number of days a password is valid. QMAXSIGN- Controls the maximum number of invalid sign-on attempts permitted (for both local and remote) by the system. QPWDMINLEN Controls the minimum length of a password. QPWDLMTREP Limits repeating characters in a new password. QPWDRQDDIF Specifies if the password must be different than the last 32 previous passwords. QRMTSIGN Controls automatic sign-on from a remote system. QLMTDEVSSN Controls if a user can be signed on to more than one terminal at any given time. QINACTIV Establish the terminal inactive time-out threshold.

QUATOVRT Specifies whether or not the AS/400 will create virtual device description for incoming sessions from the AS/400 pass-through facilities. For other sign-on related system value, refer to the AS/400 Security Concepts and Planning Guide. e. If group profiles are being used, ascertain that the group profile password parameter is set to *NONE. By having the password parameter set as such, it prevents users from signing on to the group profile, thus maintaining individual accountability at login. Additionally, evaluate each group profile and ensure that group definition consist of users with common access needs. 3. Resource Security Libraries and User Files Note: vAll objects (e.g., libraries, programs, data commands, etc.) on the system must belong in libraries. vWhen reviewing access to production objects and ways of bypassing existing access controls, the auditor should take into consideration 1) the established library list and 2) if the location uses authorization lists. The AS/400 uses the library list (system and user portion) for locating objects that have been specified without a library name. To list the complete library list (system and user), use the Display library list CL command: DSPLIBL The Authorization list is a provided AS/400 facility for protecting objects (files, programs, commands, output, queues, etc.). Please refer to the

in-house AS/400 security Tool document for details on the AS/400 authorization search order. To display all authorization lists, on the system, use the Display Object description CL command: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*AUTL) a. Through discussion and observation, obtain an understanding on the level of resource security being used at this location (e.g., library only, library and member, display station security, adoption, authorization list, etc.) Obtain a listing of all libraries in the system using the CL Command Display Object Description: DSPOBJD (*ALL) OBJTYPE (*LIB)OUTPUT (*PRINT) This listing should agree with the auditor's understanding of how the system is structured and provides the entire population of libraries from which to perform the following audit tests: b. Determine whether library level security is in effect (if so, object authority should be consistent with the user's organizational responsibility). For those libraries used in production (i.e. system and applications) and others identified for review (see In-charge), ascertain that access to these object is granted on a need-to-know basis. To obtain a listing of authorized users of an object, use the Display Object Authority and Authorization List Display CL command (refer to the Authorization list note above); DSPOBJAUT library name OBJTYPE(*LIB) OUTPUT (*PRINT) c. If library level security is not in effect or there appears to be a weakness, review file level security by performing the following: vObtain a listing of library contents by using CL command: DSPLIB library-name OUTPUT(*PRINT) Select critical files (sensitive data, system and application security, user master files, programs, etc.) and ascertain that access controls over these files are adequate. To display the authorized access list, the Display Object Authority CL command: DSPOBJAUT file-name OBJTYPE(*FILE) OUTPUT (*PRINT). As previously noted, these authorities should be consistent with the user's origination responsibilities. Commands iii. Ascertain that the use of key commands is restricted. To display the authorized access list, use the Display Object Authority CL command: DSPOBJAUT command-name OBJTYPE(*CMD) OUTPUT (*LIST) Key AS/400 Commands a. CRTUSRPRF - Create User Profile

b. CHGUSRPRF

- Change User Profile

Note: Only QSECOFR and user(s) with *SECADM special authority can create or change user profiles) c. d. e. f. g. DSPAUTUSR DLTUSRPRF DSPUSRPRF RSTUSRPRF GRTUSRAUT - Display Authorized Users - Delete User Profile - Display User Profile - Restore User Profile - Grant User Authority

Note: For commands c-g, *PUBLIC refers to the following users: vOwner of that user profile. vUser(s) with *ALLOBJ special authority vAuthorized users of that user profile (to determine this use the CL command: DSPOBJAUT user-profile OBJTYPE (*USRPRF). h. i. j. k. l. m. n. CHGOBJOWN - Change Object Owner DSPOBJAUT - Display Object Authority GRTOBJAUT - Grant Object Authority RVKOBJAUT - Revoke Object Authority RSTAUT - Restore Authority EDTOBJAUT - Edit Object Authority TRFCTL - Transfer Control

Note: For commands h-n, *PUBLIC refers to the following users: vOwner of that object. vUser(s) with *ALLOBJ special authority vAuthorized users to that object (use the CL command: DSPOBJAUT object OBJTYPE(*lib/*pgm/*file/*cmd, etc.) o. p. q. r. CHGSYSVAL - Change System Value RTVSYSVAL - Retrieve System Value CHGSYSLIBL - Change System Library List ADDLIBLE - Add Library List Entry

Note: For commands o-r, *PUBLIC refers to all users. Special attention should be given to CHGSYSVAL as it allows authorized users to change all system values (including QMAXSIGN, QSECURITY, etc.) and takes effect at the next system IPL. iv. Repeat audit step iii for the commands in the System 38 library QSYS38. To display the user authorization list, use the Display Object Authority CL command: DSPOBJAUT OBJ(QSYS38/command) OBJTYPE (*CMD) v. PROGRAM ADOPTION Program adoption allows a user who is otherwise not authorized to a particular library/file to run a program which adopts an authorized user's capability and gain access to that library/file. Note: If the user modifies and recompiles the program, then the program's adopted capabilities are lost and will run under the new owner's capabilities. Adding an entry in the program's library list, however, does not require program compilation. Use the CL command:

To generate a list of programs that adopt powerful user capabilities, use the display program adoption command: DSPPGMADP USRPRF (name of the user profile e.g. *QSECOFR< *QPGRM) or any critical/broad access logon-ids. 2. From these listings, select programs which perform powerful/sensitive functions. Determine if a library list is used. If so, determine the libraries where these programs resided and ascertain that access to these libraries and programs is adequately controlled. To display user authorization list, use the Display Object Authority CL command: DSPOBJAUT OBJ(lib-name) OBJTYPE(*LIB) 4. NETWORK SECURITY Review the AS400 system network related system values (refer to audit step #1 DSPENTA) and ascertain that they have been set to provide an appropriate level of security, and control for all access to the system. Specific network system values to consider are: a. Network Job Action Attributes v*JOBACN - Specifies how the AS/400 system processes incoming requests from a remote system, e.g. *JOBACN, *REJECT, *FILE. If the *JOBACN is set to *Search, run Work with Network Job Entries CL command to display all network job table entries: WRKNETJOBE Review the following key parameter setting: User-ID Identifies the send of the job. (*ANY means any external user). Address Location of the sender. Action * Reject (job rejected) * File (job is filed for; manual intervention) * Submit (job runs). User The name of the user whose authority will be used to run the job. b. PC Support Access Attributes v *PCSACC - Specifies how the AS/400 system processes requests from attached personal computer. *Reject - Rejects all accesses. *OBJAUT - Access to the objects is determined by authority/privileges of the user profile that the user has used to sign on to the receiving machine. Access to the objects is determined by authority/privilieges of the user profile that the user has used to sign on to the receiving machine. User-Written Exit Program - The user exit program will determine if the requester of the PC support function is allowed to perform the function and what data the user can access.

c. Distributed Data Management Attributes *Reject - The system does not allow any DDM requests from remote systems. *OBJAUT - Access to the objects is determined by authority/privileges of the user profile that the user has used to sign on to the receiving machine. Qualified-program-name - Specifies the name of the user exit-written program that provides additional security to AS/400 object-level security. Review the network configuration and determine if dial-up lines are active on the system. If so, ascertain that access to the system is restricted to authorized users and that the facilities are available only during normal business hours. Note: If facilities are needed outside of normal business hours; identify, document, and evaluate the controls over the dial-up lines/facility. 5. DATA SECURITY ADMINISTRATION Establish that the responsibility of data security administration (QSECOFR, QSECADM, or users with *SECADM special authorities) has been assigned to an appropriate individual. Perform the following compliance test: a. Identify the procedures followed when someone requests a new logon-id. Establish how the new user's privilege levels are set and determine the extent to which there is individual accountability for logon-ids. b. Identify the procedures followed when someone requests a new logon-id. Establish how the new user's privilege levels are set and determine the extent to which there is individual accountability for logon-ids. c. Verify that an automated security log is maintained by the system. Determine what kind of violations, (e.g. improper password, attempt to access an unauthorized function, etc.) are listed in the log. Ensure that management reviews and investigates all unauthorized activity on a timely basis. To determine what types of security related activities the system is monitoring, use the Display System Value and Display LOG CL commands: DSPSYSVAL SYSVAL (QAUDLVL) (This display provides the auditing level installed at this location). DSPLOG (This command displays the system log (QHST), which logs all system activities including sign-on and object authority violations) d. Identify any formal or informal procedures used to notify the MIS Department of Employee Transfers or Terminations. Obtain a listing from Human Resource Dept.. of recent user transfers and terminations (minimum of 3 months). Compare the RH list to the User profiles on the system and ascertain that the system list reflects the current work status of all system users. 6. PHYSICAL SECURITY

Determine where the AS400 master console is located. If the area is unsecured, physically inspect and ascertain that the security keylock switch is set to either "Secure" or the "Auto" position, the key removed and kept in a secured area. 7. AS/400 Authorization Search Order Note: This is the search order for authorization. It assumes the user is requesting access to a particular object. a. Does the user have *ALLOBJ special authority? b. Does the user have specific authority for the object (in the user's profile)? ("Basic authorization") c. Is the user on the authorization list (if any) associated with the object? ("List authorization") d. Does the user's group (if any) have *ALLOBJ authority? e. Does the user's group (if any) have specific authority for the object (in the group's profile)? ("Basic authorization") f. Is the user's group (if any) on the authorization list (if any) associated with the object? ("List authorization") g. Does the Public authority for the object meet the user's need? h. Does the Public authority listed in the authorization list (if any) associated with the object meet the user's need? (This last check occurs only if the object's Public authority is *AUTL.) 8. Authorization List The Authorization list is a provided AS/400 facility for protecting objects (files, programs, commands, output queues, etc.). Please refer to the in-house AS/400 security Tool document for details on the AS/400 authorization search order. To display all authorization lists on the system, use the Display Object description CL command: DSPOBJD OBJ(QSYS/*ALL) OBJTYPE (*AUTL)