Today was my first day at Common 2010 and my first time at a common event. I’m in my mid 20s and I felt very young among the wise AS400 Dinosaurs. Grey hairs were abundant, but i know one day i’ll be like them talking about the days of PHP 5.3 as some whipper snapper is talking about how thats old news and that SGS is the language to use, but i digress.
Session 1 – Road to Compliance was presented by Robin Tatam
This is some of my notes/bullet points
- IBM is struggling to get people V6R1
- V6R1 has some type of Intrusion Detection system
- If your using the IFS you can get a virus and you should use AntiVirus
- “Security by Obscurity” is not a good option
- There is a book out on Hacking the Iseries, 98% about how to get in, 2% talks about how to stop it
- Most users are running at level 40 QSECURITY
- Public Auth is set *change for 58% of most systems
- You need to think about Data loss prevention even when giving read only permissions
- Inactive profiles and default passwords are bad
- You should be auditing your files %30 aren’t using auditing
- Make sure your purging your journal records
- Even if you don’t know how to read and understand an audit, powertech would be able to come in and tell you what happened if you have auditing on.
- Power Users are bad, remember to only give the permissions needed for the group or user
- Remember to delete user profiles after someone leaves the company
- Do not write programs under a programmers name because of the reason above
- System Values should be checked periodically against expected values
- Do not give programmers *ALLOBJ
- Audit changes to system values
- Obtain a copy of Authority Progression Algorithm to understand how permissions are obtained
- Object level protection works regardless of interface
- Exit points allow you to Accept/Reject/Audit a program such as FTP
- 30 exit points that deal with network access
- only telnet and 5250 are locked
- FTP allows you to run commands that you thought couldnt be ran
- QPWDRULES define password syntax your uses must use
- QPWDEXPWRN gives your user a expiration warning
- QLMTDEVSSN – limit device sessions
- Encryption – AES Advanced Encrption Standard US Government standard; another popular solution is PGP
Session 2 – 5250 to Web with PHP was Presented by Alan Seiden
Alan went a bit too quick through his slides and didn’t have enough code of real world examples of using the 5250 bridge.
The main Idea i got is that the 5250 bridge is right for some solutions and not right for other solutions. You have to figure out if its the right technology to implement. You can either rewrite your business logic and re-write everything in PHP and SQL, but if thats too daunting you can use the 5250 bridge and communicate between PHP and RPG by passing parameters or sharing a workfile.
Differences between Zend Core (Old PHP on I Server) and Zend Server http://www.alanseiden.com/2010/04/21/differences-between-zend-core-and-zend-server-on-ibm-i/
Session 3 – Conducting a Best Practice Audit of IBM i
SOCKS complaint, SAS compliant
object conversion time can take 6-9 hours for going from v5r4 -> v6r1
test data is “real” data. A hacker will target your test system since they are usually less secured
Old profiles owning production objects (when installing you should not install under the programmer’s user profile)
iseries profile swaps are bad
don’t bring up all the tcp/ip servers
Don’t use *ALLOBJ
Use Hardware Encryption in case a tape is lost by iron mountain
Use Audit journals on sensitive tables, but don’t over us
Make sure we have a Back-up of the HMC
DR should say:
Who What Where When How
60% of your servers are critical
20% are necessary not immediately needed
20% are optional
Is Email Mission Critical? It should be.
Do we back-up on Saturday or Sunday? If not we could be going back more than 24 hours
When was the last Full System Save, only before DR? that is not good
If your backup process says 43917 objects saved and 342 not saved. Make sure that you find out how to unlock those 342 objects since they are probably needed in a real DR. During a recovery 43917 object would be recovered and you wouldnt know why the system isn’t working. It would be because the 342 objects that weren’t saved.
Send off BRMS logs offsite
Session 4 – Function Junction – Mike Pavlak
This was a more of a review for me as I’m pretty confident in my function skills, passing a parameter by reference, returning a value, php’s functions, creating a function. I spent most of my time here working on a report i needed to send into the boss going over what was accomplished last month. I did learn about the list function that i forgot about its. Its a great function to use to set a bunch of parameters from an array object.
Day 1 afterwards
San Antonio is a great city. It has a thing called riverwalk which is a 4ft deep river that runs through the city and was nice to run on for 5 miles and explore the city, restuarants and shops. Then worked out at the hotels gym and went for a swim. Then started writing this blog entry . Well time for bed another great day of Common 2010 Fall Expo is ahead for me.