QSECURITY- System Values
If you’ve ever heard me speak on the Fundamentals of IBM i Security, you’ve heard me describe its three core aspects: system values, user profiles, and object security. It seems only appropriate then that the first part of this book describes how to modernize monitoring and managing these three core aspects, starting with system values.
I’m starting with a discussion of accessing and managing the security-relevant system values because they set the tone of security on IBM i. In addition, two of the most important system values have major changes in IBM i 7.5. Let’s start with those changes.
Tech Note As of IBM i 7.5, you can no longer set QSECURITY to level 20. |
The QSECURITY system value sets the level of security on the system. There used to be five values that you could specify for QSECURITY: 10, 20, 30, 40, and 50. But when I was still leader of the IBM i (AS/400 at the time) security team, we removed the ability to specify security level 10. Upgrading the system would not change the value, and you could restore your system values and get to level 10, but you could not change it if it somehow got set to something other than 10. As of IBM i 7.5, level 20 is no longer available. Again, you can upgrade your system and stay at level 20; however, if you restore IBM i to a system in which the original value is something other than 20, attempting to restore the QSECURITY system value set to 20 will fail. The system will set QSECURITY to whatever the original value was.
I applaud IBM for removing this value. It’s truly irresponsible for any organization to be running at a level where all profiles are created with *ALLOBJ special authority! That said, I know that some organizations are still running at security level 20 (more than people realize, I believe). I’m hoping this change by IBM will cause these organizations to get a project in place to make this change. To aid in that process, I’m providing specific guidance on the process I’ve used to move organizations from security level 20 to 40 (as well as 30 to 40). For guidance and tips, see chapter 3, Moving to a Higher Security Level, and chapter 9, Successfully Securing Files Using Authority Collection, IBM i Services, and Auditing.
Tech Note IBM i 7.5 adds QPWDLVL 4. |
The second major change in IBM i 7.5 is to the QPWDLVL system value. A new password level (level 4) has been added, and the old LANMAN password, which was the one differentiator between password levels 0 and 1, has been removed from the system entirely (it has never been stored on levels 1 and 3). IBM i 7.5 removes it from levels 0 and 2. both level 0 and 2. The LANMAN password was used only when connecting to IBM i via a file share from a client running Windows 95, 98, or ME or Windows 2000 Server. Since none of those operating systems are supported (and haven’t been for ages), IBM has taken the step to remove the storage of that old and vulnerable password. Therefore, there is no longer a difference between password level 0 and 1. Unlike the change to QSECURITY, you can still set QPWDLVL to a lower level. If your organization isn’t already at level 3, I encourage you to make that move. Then, after upgrading to IBM i 7.5, make the move to password level 4. I provide guidance for moving to a higher password level in chapter 4, Moving to a Higher Password Level.
Now let’s take a look at how you can access your security-relevant system value settings. Of course, there’s the tried-and-true Work with System Value (WRKSYSVAL) command. In fact, you can narrow down what’s displayed by running the following to see only the security-related system values:
But what if you want to use New Navigator for i or SQL? In the section below called New Nav: System Values, we’ll look at New Nav. But first, let’s take a look at the two options SQL provides.
Run without any qualifying WHERE clause, this service lists all system values along with their current value. You can modify it to list all of the password system values since they all begin with ‘QPWD’ like this:
But there’s no easy way to list just the security-related system values like there is with WRKSYSVAL. For this reason, I find this service to be of limited use. However, I think you’ll find this next service quite useful.