Keeping track of how user profiles get created is certainly no fun and definitely difficult at times, but it's required to maintain compliance with your security policy and to keep your auditors happy. SkyView Policy Minder for OS/400 and i5/OS can ease the burden of tracking the details of how profiles have been created. One feature of this new product is the ability to create user profile "templates." These templates allow you to define the profile configuration criteria that you are interested in when it comes to managing compliance. Let's look at some examples.
Identifying Inactive Profiles and Documenting the Exceptions
One area that is often difficult for administrators to manage is identifying inactive profiles (profiles that are no longer in use). Difficulty is compounded when HR has no formal process for notifying IT when someone leaves the organization. Profiles accumulate on the system and provide access points to the system that can lead to system exploitation. Policy Minder provides an easy way to discover the inactive profiles on your system so you can deal with them in a timely manner. Simply create a user profile template that includes all profiles on the system and specify the exact inactivity period (e.g., 30 or 45 days) required by your policy. Running a compliance check on this template every day will provide you with a list of profiles that have gone "inactive" as defined in your security policy. With this list, you can quickly remove these profiles and avoid having your auditors find them on your system.
But what about those profiles that are always inactive? You know which ones--the IBM-supplied profiles, group profiles, profiles that own applications, and profiles that come with vendor products. These profiles are always included in the list of inactive profiles because they are never used to sign on or to run jobs. To avoid this, simply specify that you want to omit these profiles from being included in the template, and they will no longer appear in the list. Then, you will have an accurate list of inactive profiles you need to take action on. In addition to making this task easier by simplifying the list, omitting the always-inactive profiles from the template will be documented in your policy. So it will be easy to show an auditor that you have accepted the business risk of allowing these particular profiles on your system. This tells your auditor that you understand the profiles on your system and have taken steps to easily and efficiently handle the profiles that are truly inactive.
Managing the Number of Profiles with *ALLOBJ Special Authority
Your policy may allow you to have only 10 non-IBM profiles with *ALLOBJ special authority on the system. You can easily define a template that includes all profiles but excludes IBM profiles so that they are not included in the count. Once the template is created, run a compliance check. Policy Minder will list the profiles having *ALLOBJ--skipping the IBM profiles--and let you know at a glance whether you've exceeded your limit. This compliance check is easily scheduled in your favorite job scheduler to run at whatever frequency satisfies your business requirements.
Monitoring How Profiles with *ALLOBJ are Created and Configured
In addition to specifying how many profiles with *ALLOBJ can be on the system, many auditors require that powerful profiles--profiles with at least *ALLOBJ special authority--have unique configuration requirements, such as these:
- These users must change their passwords more frequently than the rest of the user community.
- Command string (*CMD) auditing must be turned on (meaning that any command these users enter is logged in the OS/400 audit journal).
- The profiles' passwords cannot be a default password (the password cannot be the same as the user profile name).
Auditors and security professionals alike believe that these are good security practices. To ensure your *ALLOBJ profiles are created with these configuration settings, create a Policy Minder template that includes all profiles with *ALLOBJ--again, skipping the IBM-supplied profiles--and run a compliance check. You can see at a glance whether your powerful profiles are in compliance. If there are profiles out of compliance, you can enable the Policy Minder FixIt function to "fix" (or change) your profiles to match the settings defined in your *ALLOBJ user profile policy.
These are just a few examples of managing security compliance as it applies to user profiles. What about library and object authorities, directory authorities, authorization lists, and all the other details? SkyView's Policy Minder for OS/400 and i5/OS can help you with these as well. To find out what other details you should be concerned about when it comes to security compliance management, click here. And check out SkyView's other offerings in the MC Showcase Buyer's Guide.
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing in security compliance management and assessment software as well as security services. Carol is the former chief security architect for AS/400 for IBM in Rochester, Minnesota, and has specialized in security architecture, design, and consulting for more than 15 years. Carol speaks around the world on a variety of security topics and is coauthor of the book Experts' Guide to OS/400 and i5/OS Security.
Carol Woodbury is IBM i Security SME and Senior Advisor to Kisco Systems, a firm focused on providing IBM i security solutions. Carol has over 30 years’ experience with IBM i security, starting her career as Security Team Leader and Chief Engineering Manager for iSeries Security at IBM in Rochester, MN. Since leaving IBM, she has co-founded two companies: SkyView Partners and DXR Security. Her practical experience and her intimate knowledge of the system combine for a unique viewpoint and experience level that cannot be matched.
Carol is known worldwide as an author and award-winning speaker on security technology, specializing in IBM i security topics. She has written seven books on IBM i security, including her two current books, IBM i Security Administration and Compliance, 3rd Edition and Mastering IBM i Security, A Modern, Step-by-Step Approach. Carol has been named an IBM Champion since 2018 and holds her CISSP and CRISC security certifications.
MC Press books written by Carol Woodbury available now on the MC Press Bookstore.
 |
||
 |
|
IBM i Security Administration and Compliance: Third Edition Don't miss the newest edition by the industry’s #1 IBM i security expert. List Price $71.95 Now On Sale
|
 |
|
Mastering IBM i Security Get the must-have guide by the industry’s #1 security authority. List Price $49.95 Now On Sale
|
Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.
IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn:
LATEST COMMENTS
MC Press Online