November 8, 2011 - Vol 1, Issue 3
Carol Woodbury gives you seven quick tips for passing your audit. Download her white paper now! Brought to you by SkyView Partners
Security Compliance Automation Tools - Designed by Carol Woodbury - Security Policy Compliance - Vulnerability Assessments - Audit Journal Reporting - Register today for a FREE Trial! - Brought to you by SkyView Partners


Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Feature Article

Close the 'Open Pipe': Flush your Signon Server Credentials

By Dan Riehl

Most of us run IBM i Access for Windows. That's the newest name for what we used to call PC Support, Client Access and iSeries Access. You probably use the Personal Communications PC5250 emulation software to provide your workstation sessions. You may also use the IBM i Navigator (Operations Navigator, iSeries Navigator) portion of IBM i Access for Windows.

There are several IBM supplied applications that are installed on your PC when you install IBM i Access for Windows. Included in these additional applications are the Remote Command facility, the ODBC Driver and various File Transfer programs and Service utilities. One critical piece of software that is installed is the command interface to Set or Flush the Signon Server cached User IDs and Passwords, which is the topic of our discussion here.

When you run IBM i Access functions on your PC that require communications with the host, you must first authenticate to the host. To accomplish this authentication, IBM provides the Signon Server GUI window where you provide your credentials(i.e. UserID and Password).

Once you have successfully authenticated, your PC provides an open pipe to access the IBM i without any further authentication. You can transfer files, run remote commands, examine spooled files, etc. So, do you flush your credentials when you leave your desk, or go home for the evening? Or do your leave the pipe wide open for anyone that happens to wander by your unattended workstation?

In this article, we'll examine how you can easily flush your Signon Server credentials cache, and thereby, achieve a higher level of protection for your sensitive data.

Read More.

In This Issue

Featured Article - Close the open Pipe

Featured Video - Hidden Security Options

Security Shorts - Auditing New Objects

Industry News and Calendar

Security Resources


Quick Links

SecureMyi Website

The 400 School Website

SecureMyi Newsletter Home and Archives


Thank You To Our Sponsors!

Platinum Sponsor
      Skyview Partners, Inc.

Gold Sponsors
      Vault 400

      The 400 School, Inc.

IBM i Security and Audit Resources

Security Videos from Securemyi.com

Security Training from the 400 School

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Security Workshop, Administration and Control Workshop presented by The 400 School, Inc




Are you Stuck in the 70s with your Tape Backup Solution. Go to Vault 400, and check out the Modern Alternative

IBM i Security News Bytes

Linoma Software
Linoma Software releases the new White Paper, “DMZ Gateways: Secret Weapons in Network Security”. The White Paper helps explain the role a reverse proxy gateway plays in an effective DMZ network security strategy.


The 400 School, Inc. and SecureMyi.com
Live Online Security Workshop from The 400 School and SecureMyi.com
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class.




IBM i Security Calendar of Events

Nov 9 - RJS Special Security Lunch & Learn
Live at RJS Headquarters at Burnsville, MN
Or attend this event via the Live Webcast. (Register Here)


Jan 17-20 - The 400 School - Live Online Security Workshop


May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA






Carol Woodbury gives you seven quick tips for passing your audit. Download her white paper now! Brought to you by SkyView Partners

Featured YouTube Video

IBM i Security - The Hidden Security Configuration Options

Featured Video - The IBM i Hidden Security Configuration Options

Cannot Access Youtube from your office? Here is the presentation in wmv format.   Click to Download the wmv file
Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Security Shorts - Auditing Newly Created Objects

The IBM i has excellent built-in auditing capabilities. You can audit various types of important events, you can audit object access, and you can audit access to IFS "objects". I have used the object auditing facilities quite heavily. But, the other day I was stumped. I was asked the question "How do you turn on auditing for newly created files and directories in the IFS?" I knew that there was a way to do this, but the method did not come readily to mind. After searching the web and performing quite a bit of testing, I now have the answer to that question. I hope that the information is helpful to you.

Auditing Newly Created QSYS.LIB Objects

The System value QCRTOBJAUD specifies the global default value for the auditing level specified for newly created objects. The shipped value is *NONE, meaning, newly created objects will not be audited at the global/system level. You can override the QCRTOBJAUD system value at the library level by specifying the CRTOBJAUD parameter of the CRTLIB(Create Library) and CHGLIB(Change Library) command as shown here.

CHGLIB LIB(MYLIB) CRTOBJAUD(*CHANGE)

When a library is created, the default value for the CRTLIB's CRTOBJAUD parameter is *SYSVAL, but can be set as desired to *ALL, *CHANGE, *USRPRF, *NONE or *SYSVAL.

CRTLIB LIB(MYLIB)   .   . CRTOBJAUD(*CHANGE)

So, now, whenever a new object is created in MYLIB, the object's OBJAUD value will automatically be set to *CHANGE.


Auditing Newly Created IFS "Objects"

The IFS /root file system is used to store various types of files, directories, folders and documents. Often sensitive data is stored there in MS/Excel spreadsheets, Word documents, images, audio, pdf reports, and many other types of files.

In addition to being the global setting for the QSYS.LIB file system, the system value QCRTOBJAUD is also the global setting applied to IFS directories. If you want to turn on auditing for all newly created IFS "objects", you set the system value QCRTOBJAUD as required to *ALL, *CHANGE or *USRPRF. Within the IFS, this global setting can be overridden at the directory level using the CHGATR(Change Attribute) command as shown here.

CHGATR OBJ('home/myuser') ATR(*CRTOBJAUD) VALUE(*CHANGE)

If you want the *CRTOBJAUD auditing attribute to be applied to subdirectories also, include the SUBTREE(*ALL) option of the CHGATR command.

So, the key to managing auditing for newly created objects in the IFS is the QCRTOBJAUD System Value when used in conjunction with the CHGATR command. With the CHGATR command, you specify the *CRTOBJAUD attribute and corresponding value for the selected IFS directory, and the associated sub-directories.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts



IBM i Administration and Control - Nov 14-18
Introduction to COBOL for IBM i - Dec 5-9
System Operations Workshops - Dec 12-16
Interactive RPG IV Programming - Jan 9-13
Expanded Security Workshop - Jan 17-20
Interactive COBOL Programming - Jan 23-27


Where else will you Find LIVE training in COBOL for the IBM i, iSeries and AS/400?  The 400 School, Inc.
Are you Stuck in the 70s with your Tape Backup Solution. Go to Vault 400, and check out the Modern Alternative

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2011 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017