|
|
|
Are You Saving your Security Data?
by Carol Woodbury
Many of you do a fantastic job making sure your data is backed up regularly. Changes in the operating system the past few releases have made that process even easier. My question is - "Are you also backing up your security data?" Answering this question takes an understanding of where security data is stored.
Security Information Stored with the Object
Some security information is stored with the objects (files, libraries, directories, etc.) themselves. The objects' *PUBLIC authority, owner and owner's authority, primary group and the primary group's authority, the objects' auditing value as well as the name of the authorization list securing the objects. When you save your files or run the SAV command or save the non-system libraries, this is the security information that is backed up.
Saving your Security Data
If you are only saving your objects, then you are missing several critical pieces of security data. Running the Save Security Data (SAVSECDTA) or Save the System (SAVSYS) command saves the rest of the security information - that is, all user profiles, private authorities and authorization lists.
How Often Should I Save my Security Data?
How often you perform a SAVSECDTA really depends on how often user profiles are created, changed and removed from the system. You must also consider how often private authorities are granted or removed from individual objects and authorization lists and how often authorization lists are created or deleted. For example, if you save your security data at the beginning of the month, and you have to recover your system at the end of the month; then how many user profiles will you have to re-create? In addition, consider how many user profiles you've removed from the system due to terminations or inactivity that are going to re-appear once you restore the user profiles during the recovery process. After looking through your organization's security activity, you may determine that you need to save your security data more often.
Finally, if you are in the process of changing your security configuration - that is, altering the *PUBLIC authority of objects, securing files with authorization lists, removing users' excess special authorities, etc.; then you are going to want to save your security data more often, so that you don't lose all of those important configuration updates. |
| Carol's Tech Tip
Just as you want to back-up your i5/OS security data on a regular basis, you also want to take a look at your third-party vendor solutions to determine if they contain information that requires backup. The SkyView products are certainly ones you want to consider in these plans. The SKYVIEWPMD library contains the templates, compliance information, message log and outq for the SkyView Policy Minder product. Obviously, you don't want to lose any work you've invested in creating templates or the reports that you've run in the past. To preserve these, you'll want to add the SKYVIEWPMD library to your back-up schedule. In addition, if you are required to retain past compliance reports and are using the .PDF formats, you will want to back up the contents of the '/SKYVIEW/Policy Minder' directory.
After saving the SKYVIEWPMD library, you may want to run the Purge Message Log (PRGMSGLOG) command to keep the message log to a manageable size. If your auditors or compliance officers require a report of all product activity you can run the Print Message Log (PRTMSGLOG) command before purging it.
Finally, for the SkyView Risk Assessor product, you will want to back up the SKYVIEWRAD library as well as the past reports found in the '/SKYVIEW/Risk Assessor' directory.
|
|
|
|
About Carol Woodbury
Carol spent 16 years with IBM in Rochester, MN. She served for more than 10 years as the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. During this time Carol provided security architecture and design consultations with IBM Business Partners and large AS/400 customers. She is known worldwide as an author and speaker on security technology, specializing in OS/400 and i5/OS security issues. Carol co-authored the popular book, Experts' Guide to OS/400 and i5/OS Security from 29th Street Press, has written numerous articles on security and is a technical editor for the IBM Systems Magazine. Carol is also a subject matter expert on security for COMMON, security author for Experts Journal, contributing author on security for System iNEWS and MC Press Online and the security expert for search400.
| |
