AS400 REVIEW

AUDIT WORK PROGRAM

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments
Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES

Time Project Work Step Initial Index

DEFINITION AND COMMUNICATION OF RESPONSIBILITIES

If not provided with IT background data, request an IT organization

chart.
Review the functions of all individuals with the IT manager:
To determine whether IT employees have functions in other
departments
To identify the security officer and operators
Inquire as to whom the IT manager reports to and whether he is
satisfied with the level of authority.
Inquire as to the level of supervision over IT employees.

Inquire as to whether formal policies and procedures exist in IT and

whether there are formal hiring guidelines in the department. Obtain
a copy of the policies and procedures.

Obtain an understanding of the major changes that have taken place

in the current year as well as those planned in the next year.

Inquire as to the existence and function of the IT steering committee.

Source: www.knowledgeleader.com 1
 Time Project Work Step Initial Index

MODIFICATIONS TO APPLICATION PROGRAMS

Review the process for modifications and support in relation to the

following controls:
User requests and approvals (and filing)
Classification of requests
Modifications planning (timetable)
Follow-up on outstanding requests/log
User involvement/layout approval during the process
Management approval
Use of system design methodology
Documentation requirements (naming conventions)
Type of testing performed and use of test files (month-end, year-
end testing)
Programmer access to production data
Segregation of test and production environments
Conversion procedures and controls
Conversion approvals
Log of changes performed and reviewed
Use and access to a staging library (QA process)
Approvals to move programs
Process to move source and load modules

Inquire as to whether the DSPFD (source code) and DSPOBJD

(load) commands are used to review the trail of last changes made to
application programs.
Testing
Review a sample of changes/requests for:
User/approvals
User involvement
Review a sample of changes documentation for:
Flowcharts and timetable for conversion
User approvals
Testing and conversion results and approvals
Approval to move into production
Obtain a printout of access to the staging library and source and
load libraries using:

Source: www.knowledgeleader.com 2
 Time Project Work Step Initial Index

DSPOBJAUT OBJ (library name) OBJTYPE (*LIB) OUTPUT

(*PRINT)
Obtain a printout of access to the production data library (for
critical libraries such as the G/L) using the above command.

Discuss the frequency/process for emergency changes to application

programs.

SYSTEM SOFTWARE MODIFICATIONS

Inquire as to whether any system software modifications or upgrades

have occurred in the current year (including upgrades).
If so, identify the process for changes and their documentation.

COMPUTER OPERATIONS

Inquire as to the existence of formal operating instructions or on-

screen commands to minimize actions as well as recovery/restart
procedures.
Obtain a copy and review the procedures

Obtain an understanding of supervision provided on each shift.

JOB SCHEDULING
Obtain an understanding of job scheduling procedures and
processes; determine whether an automated scheduler is used
and how it functions.
If an automated scheduler is used, inquire about:
Whether it is purchased or is an in-house set of routines
Which jobs run and when
Security interface with the AS/400
Access mode and security policy
Violation logs produced
Procedures to add a job or to remove a job from the
schedule
Inquire as to review and control techniques over jobs:
Review of successful/unsuccessful jobs
Procedures to resolve unsuccessful jobs

Source: www.knowledgeleader.com 3
 Time Project Work Step Initial Index

Testing
For both an in-house and external job scheduler, review access
over objects containing:
The job schedule
Critical commands affecting jobs
The scheduler security file
Use the following command:
DSPOBJAUT OBJ (library name) OBJTYPE (*LIB) OUTPUT
(*PRINT)
Obtain and review the latest job schedule.

Inquire as to the existence and use of an operations incident report.

Determine whether hardware problems are tracked (PMR).
Obtain and review the latest reports as well as specific logs *Use
the DSPOBJAUT command for logs owned by QSYS and QHST.

Inquire about the granting of authority to submit jobs. Do operators

have their own IDs or do they submit jobs from the console?
Inquire about the users ability to view output queues. In the case of
sensitive spool files:
A user profile with JOBCTL should be created to manage the
output queues
The output queues defined in a library should be defined as
follows:
DSPDTA=NO
OPRCTL=NO
AUTCHK=OWNER
AUT=EXCLUDE
Review access to the following job commands:
SBMJOB
WRKUSRJOB
CHGJOB
WRKSBMJOB
WRKSPLF
WRKJOBW
WRKOUTQ
*Use the DSPOBJAUT OBJ(QSYS/command) OBJTYPE
(*CMD) OUTPUT (*PRINT) or through verbal discussion.

Source: www.knowledgeleader.com 4
 Time Project Work Step Initial Index

Ensure that JOBCNTL is restricted to operators and that access

to SPLCTL is controlled since spool control allows a user to view
all output queue data.

Determine whether adopted authority has been defined for some

users and over some programs. (This allows users to run a program
under their or under a profile and therefore, to adopt its authority.)
Review the authority adopted and determine through discussion
whether it is appropriate.
Testing
For the users with adopted authority (probably SECOFR), issue
DSPPGMADP (user profile) OUTPUT (*PRINT) to identify the
programs adopted.
Determine which users can run these programs with
DSPOBJAUT OBJ (library/program name) OBJTYPE (*PGM)
OUTPUT (*PRINT).
Obtain and review the user ID used for adopted authority using
DSPUSRPRF USRPRF(XXXX) TYPE(*ALL) OUTPUT(*LIST).
Review the privileges assigned and ensure that ALLOBJ is not
included.

COMMANDS
Inquire as to whether in-house commands have been developed. If
so, determine their purpose.
Testing
Review access to the following standard commands using the
DSPOBJAUT command:
DFU
SEU
QUERY
These commands allow direct access to data and programs;
however, they can only be accessed by users whose access to
the operating system is not restricted.
Review which users have the ability to create commands by
displaying the object authority (DSPOBJAUT) over the library
which contains them Library CRTCMD
Note that the *ALL.CRTCMD can be used in order to identify the
specific library above.
Review which users have access to the power down system
(PWRDWNSYS) command using DSPOBJAUT.

Source: www.knowledgeleader.com 5
 Time Project Work Step Initial Index

Obtain the operator user profiles using DSPUSRPRF USRPRF

(XXXX) TYPE(*ALL) OUTPUT(*LIST), and review privileges
assigned to them.

Visit the computer room and complete the data center control
checklist; identify only significant weaknesses and exposures which
increase the risk of failure.

BACKUPS
Obtain an understanding of backup procedures in terms of
frequency and storage for:
Data and programs
Operating system (SAVSYS command which is now
SAVSTG on the newer OS/400)
Offsite storage
Contingency planning procedures
System and application documentation
Inquire as to whether the security data is regularly saved using
the SAVSECDTA command.
Inquire about backup inventory tracking procedures and obtain
the latest inventory list if available.
If backups are stored offsite, inquire about which individuals have
access to them as well as access procedures. Inquire as to the
last date of visit to the offsite storage location to verify controls.

CONTINGENCY PLANNING
Inquire as to the existence and use of formal recovery and restart
procedures. Inquire and discuss they are regularly tested and
used.
Inquire about the existence of a formal contingency plan. If such
a plan exists, inquire about:
Procedures for its preparation and maintenance
Testing frequency and schedule
Major problems encountered to date
Obtain a copy of the plan and review it for completeness (do not
perform a detailed review).

SECURITY

SECURITY ADMINISTRATION

Source: www.knowledgeleader.com 6
 Time Project Work Step Initial Index

Inquire as to the existence of formal security policies. If they

exist, review them for completeness and update.
Inquire about the means of informing and training users for
security.
Identify the functions related to security as well as the individuals
assigned security officer functions. Ensure that adequate
segregation of duties is applied.
Identify the major security administration functions performed,
and in particular:
Regular review of user profiles to ensure that they are valid
Review of privileges assigned to user profiles
Obtain the total number of users on the system. Inquire about the
user profile scheme (one ID per user as well as the presence of
group profiles).
Identify the overall system security scheme (the user of the
OS/400 security features as well as controls over access to
applications or application-based security).
Testing
In the case of a high-risk review only:
Using the AS/400 micro template, download and review the privileges
granted to all user profiles as well as their maintenance.
In the case of a medium to low-risk review:
Obtain a sample of user profiles for review of privileges and
maintenance and inquire about users with critical privileges.

Identify the procedures in place to grant and create user IDs.

Discuss the procedures in place to report and review security

violations. If the client uses the OS/400 V2R3, inquire about the
following:
The *AUDIT special authority is used to monitor a users
activities.
AUDLVL and OBJAUD values are used to audit a user profile.
CMD value is used to perform spot-check audits on the
commands a user executes.
The library attributes QCRTOBJAUD (value) and CRTOBJAUD
(create object auditing library attribute) are used to determine the
default object auditing for new objects.
Testing
Obtain latest violations report or issue command:

Source: www.knowledgeleader.com 7
 Time Project Work Step Initial Index

DSPLOG LOG (QHST) PERIOD (start-end MSGID(CPF2200) for

other violations
DSPLOG LOG (QHST) PERIOD (start-end) MSGID (CPF2234)
for incorrect passwords
DSPOBJD OBJ (QSYS/QHST*) OBJTYPE (*FILE) to display
names of all system logs

LOGICAL SECURITY

Verify the following or have a printout produced of all system values

using this command:
WRKSYSVAL SYSVAL(*SEC) OUTPUT(*PRINT) (once the
WRKSYSVAL command is entered, the user is prompted to enter the
parameters required. In this case, *ALL should be entered and the
*PRINT command at the OUTPUT line.):

Security setting; should be at

QSECURITY
minimum 30

Number of times an incorrect

QMAXSIGN password may be entered prior to
the device being varied off

Number of minutes a terminal will

QINACTITV stand idle for prior to being
logged off

Name of the message queue to

which the messages for inactive
QINACTMSGQ
jobs are sent if QINACTITV is not
set to *NONE

Number of days before user

QPWDEXPITV
passwords expire

Displays statistics in relation to

the users last sign on info
QDSDSGNINF
0 info is shown
1 info is not shown

Limits users to one sign on

QLMTDEVSSN session at one terminal at a time
0 unlimited sign-on sessions

Source: www.knowledgeleader.com 8
 Time Project Work Step Initial Index

1 limited session

Limits users with *ALLOBJ or

*SERVICE authorities to specific
QLMTSECOFR terminals
0 users are not restricted
1 users are restricted

Limits adjacent numbers in a

password
QPWDLMTAJC
0 parameter is not in effect
1 parameter is in effect

Specifies characters that cannot

QPWDLMTCHR
be used in a password

Limits repeating characters in a

password
QPWDLMTREP
0 parameter not in effect
1 parameter in effect

QPWDMINLEN Sets password minimum length

QPWDMAXLEN Sets password maximum length

Requires every character in a

password to be different from the
QPWDPOSDIF
same positioned character in the
last password

Prevents using a password that is

the same as one of the last 32
QPWDRQDDIF passwords
0 parameter not in effect
1 parameter in effect

Specifies a user-written password

QPWDDVLPGM
validation program

Determines the action to be taken

QMAXSGNACN after failed attempts to enter a
password

Source: www.knowledgeleader.com 9
 Time Project Work Step Initial Index

3 both terminal and user ID are

disabled
2 ID only is disabled
1 terminal only is disabled

Determines whether the auditing

QAUDLVL journal is used for review of
security violations

Inquire as to whether the limited capability value has been set to YES
for all users (ability to change the initial program).
Use the CHKLMTCPB command in the QUSRTOOL library to
determine which users have the LMTCPB parameter set to NO
(unless the user profile test has been performed).

Inquire about access granted to users for commands to alter system

values (ALLOBJ, SECADM, SERVICE, SAVSYS)
Have the security officer issue the following command:
DSPOBJAUT OBJ(QSYS/CHGSYSVAL) OBJTYPE(*CMD)
(unless the user profile test has been performed).

Inquire as to whether IBM user profile default passwords

(PASSWORD=*NONE) have been changed :
QSECOFR
QPGMR
QUSER
QSYSOP
QSRV
QSRVBAS
Inquire as to whether QPRMG and QSECOFR are group profiles. If
so, this may be a weakness.

Inquire as to whether passwords for SRV and SRVBAS are written

down and are stored in a secure location where they are accessible if
needed (these profiles give access directly into the operating
system).
Inquire as to who selected the password, e.g., Company X or the
security officer. (Company X could use the same password for all
installations.)

Source: www.knowledgeleader.com 10
 Time Project Work Step Initial Index

For specific applications, determine how access to online

transactions is controlled.
Testing
Review the security parameters defined within the application
security
Review object authority by issuing the following command:
DSPOBJAUT OBJ(CL command) OBJTYPE(*CMD)
OUTPUT(*PRINT)
or
DSPOBJAUT OBJ(program name) OBJTYPE(*PGM)
OUTPUT(*PRINT)

Inquire as to who has the ability to update application security files by

issuing the following command:
DSPOBJAUT OBJ(file name) OBJTYPE(*FILE) OUTPUT(*LIST)

Repeat step for specific applications, determine how access to

online transactions is controlled for batch files.

Determine the type files with PUBLIC access and the users listed
under PUBLIC by issuing the following commands:
DSPUSRPRF USRPRF(PUBLIC) TYPE(*GRPMBR)
OUTPUT(*PRINT)
DSPUSRPRF USRPRF(PUBLIC) TYPE(*ALL)
OUTPUT(*PRINT)

Inquire about the reasons and types of remote links.

Identify which individuals can obtain access via dial-up and for
which purposes or functions
Identify the procedures to obtain dial-up access
Identify the control mechanisms to validate users via dial-up
Inquire about access violation logs
Testing
Obtain a list of individuals with dial-up to verify that they are still
employees and that access is justified.
Determine at which value the network attribute JOBACN is set
(to determine how the AS/400 receives incoming requests from a
remote system):
REJECT: input stream rejected

Source: www.knowledgeleader.com 11
 Time Project Work Step Initial Index

FILE: default setting input stream is filed on the queue of

network files and the user decides what to do
SEARCH: network job table controls the actions by using the
values in the table
Same for PCSACC (PC support access) to determine how the
AS/400 processes requests from PCs:
REJECT
OBJAUT: default setting allowed but controlled by object
authorizations

Source: www.knowledgeleader.com 12