Here is your iSeries security tip for March, 2007 from SkyView
Partners, Inc., World Class i5/OS and OS/400 Security Experts.
Many of you do a fantastic job to making sure your data is backed
up regularly. Changes in the operating system the past few releases
have made that process even easier. My question is - are you also
backing up your security data? Answering this question takes an understanding
of where security data is stored.
Security Information Stored with the Object
Some security information is stored with the objects (those files,
libraries, directories, etc) themselves. The object's *PUBLIC authority,
owner and owner's authority, primary group and the primary group's
authority, the object's auditing value as well as the name of the
authorization list securing the object. When you save your files or
run the SAV command or save the non-system libraries, this is the
security information that is backed up.
Saving your Security Data
If you are only saving your objects you are missing several critical
pieces of security data. Running the Save Security Data (SAVSECDTA)
or Save the System (SAVSYS) command saves the rest of the security
information - that is, all user profiles, private authorities and
authorization lists.
How Often Should I Save my Security Data?
How often you perform a SAVSECDTA really depends on how often user
profiles are created, changed and removed from the system. You must
also consider how often private authorities are granted or removed
from individual objects and authorization lists and how often authorization
lists are created or deleted. For example, if you save your security
data at the beginning of the month and you have to recover your system
at the end of the month, how many user profiles will you have to re-create?
In addition, consider how many user profiles you've removed from the
system due to terminations or inactivity that are going to re-appear
once you restore the user profiles during the recovery process. After
looking through your organization's security activity, you may determine
that you need to save your security data more often. Finally, if you
are in the process of changing your security configuration - that
is, altering the *PUBLIC authority of objects, securing files with
authorization lists, removing users' excess special authorities, etc,
you are going to want to save your security data more often so that
you don't lose all of those important configuration updates.
Carol's Tech Tip
Just as you want to back-up your i5/OS security data on a regular
basis, you also want to take a look at your third-party vendor solutions
to determine if they need contain information that requires backup.
The SkyView products are certainly ones you want to consider in these
plans. The SKYVIEWPMD library contains the templates, compliance information,
message log and outq for the SkyView Policy Minder product. Obviously,
you don't want to lose any work you've invested in creating templates
or the reports that you've run in the past. To preserve these, you'll
want to add the SKYVIEWPMD library to your back-up schedule. In addition,
if you are required to retain past compliance reports and are using
the .PDF formats, you will want to back up the contents of the '/SKYVIEW/Policy
Minder' directory.
After saving the SKYVIEWPMD library, you may want to run the Purge
Message Log (PRGMSGLOG) command to keep the message log to a manageable
size. If your auditors or compliance officers require a report of
all product activity you can run the Print Message Log (PRTMSGLOG)
command before purging it.
Finally, for the SkyView's Risk Assessor product, you will want to
back up the SKYVIEWRAD library as well as the past reports found in
the '/SKYVIEW/Risk Assessor' directory.
Sincerely,
Carol Woodbury
SkyView Partners, Inc.
SkyView Partners Solutions
Carol Woodbury's
Risk
Assessor for i5/OS & OS/400:
is an i5/OS & OS/400 security diagnostic tool.
See Video
Introduction to Risk Assessor (4:08) With Risk Assessor you get
comprehensive, easy-to-understand, easy-to-produce and unbiased reports
that quite frankly no other product in the marketplace will produce.
Carol Woodbury's
Policy
Minder for i5/OS & OS/400:
is an i5/OS & OS/400 security compliance management tool.
See Video
Introduction to SkyView Policy Minder (4:22) With Policy Minder,
you take the time out of managing and fixing the implementation details
of your security policy, as well as taking the guesswork out of your
security compliance status.
