=============================================== SEARCH400.COM DEVELOPER TIP July 18, 2001 More developer tips at http://search400.techtarget.com/tipsIndex/0,289482,sid3_tax2f9,00.html =============================================== SPONSORED BY: ARCAD Software =============================================== How up to date is your AS/400 technical DOCUMENTATION? ARCAD Observer is a unique and powerful AS/400 solution offering a completely automated technical documentation process of your AS/400 applications. This highly configurable and graphical software instantly generates technical documentation directly on your PC. The FREE, fully functional NEW AS/400 Source Code Analyzer for RPG, Cobol & ILE is available to the first 500 ARCAD Site visitors at http://www.arcadsoftware.com/. Contact Eric at (978) 927-2931 in the U.S. and Canada ================================================ TIPS CONTEST WINNERS ANNOUNCED ================================================ Congratulations to Mike Krebs, winner of June's tip prize, a Nightstar Night-Vision Spotting Scope! Mike will be inducted into our Hall of Fame for his winning tip: http://www.search400.com/tip/1,289483,sid3_gci559046,00.html Kudos to our runner-up winners: Randall Smith, Christian Eidsmoe and Jean-Marie Sauvageot. NEW JULY PRIZE! Submit a tip and let the votes determine the winner of this month's prize, a Secret Agent Man Digital Seiko Watch! http://search400.techtarget.com/tipsSubmit/1,289485,sid3,00.html ================================================ Identify security exposures created by bad passwords By Trevor Seeney, special to search400 One way to protect your system from possible security breaches is to make sure your company has an efficient plan for using passwords. The program below uses the system API Get Profile Handle (QSYGETPH) to determine if a User Password has a value the same as the User Profile name. If it does, that would indicate a weak password and represents a security exposure. It should be noted that if a password expires, the profile will be disabled. That is not entirely a bad thing. --------------------------------------------------------- PGM /* Verify User Password VRFUSRPWD */ /* Written by Trevor Seeney, Sentinex Inc. */ /* This program checks to see where the password is */ /* equal to the user profile name */ DCL VAR(&USRPRF) TYPE(*CHAR) LEN(10) DCL VAR(&HANDLE) TYPE(*CHAR) LEN(12) DCLF FILE(QSYS/QADSPOBJ) DCL VAR(&HEX00) TYPE(*CHAR) LEN(1) VALUE(X'00') DCL VAR(&MSGID) TYPE(*CHAR) LEN(7) DCL VAR(&MSG) TYPE(*CHAR) LEN(256) DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(256) DCL VAR(&MSGF) TYPE(*CHAR) LEN(10) DCL VAR(&MSGL) TYPE(*CHAR) LEN(10) MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR)) DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*USRPRF) + OUTPUT(*OUTFILE) OUTFILE(QTEMP/QADSPOBJ) OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ) REREAD: RCVF MONMSG MSGID(CPF0864) EXEC(DO) RCVMSG MSGTYPE(*EXCP) RETURN ENDDO CHGVAR VAR(&APIERR) VALUE(' ') CHGVAR VAR(%SST(&APIERR 1 8)) + VALUE(X'0000011000000000') CHGVAR VAR(&USRPRF) VALUE(&ODOBNM) CALL PGM(QSYGETPH) PARM(&USRPRF &USRPRF &HANDLE + &APIERR) IF COND(%SST(&APIERR 8 1) = &HEX00) + THEN(DO) SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG) MSGDTA('Profile + name and Password match for user: ' || + &USRPRF) CHGVAR VAR(&APIERR) VALUE(' ') CHGVAR VAR(%SST(&APIERR 1 8)) + VALUE(X'0000011000000000') CALL PGM(QSYRLSPH) PARM(&HANDLE &APIERR) ENDDO GOTO CMDLBL(REREAD) ERROR: MSGD: RCVMSG MSGTYPE(*DIAG) MSG(&MSG) MSGDTA(&MSGDTA) + MSGID(&MSGID) MSGF(&MSGF) MSGFLIB(&MSGL) IF COND(&MSGID *NE ' ') THEN(DO) SNDPGMMSG MSGID(&MSGID) MSGF(&MSGL/&MSGF) + MSGDTA(&MSGDTA) MSGTYPE(*DIAG) GOTO CMDLBL(MSGD) ENDDO MSGE: RCVMSG MSGTYPE(*EXCP) MSG(&MSG) MSGDTA(&MSGDTA) + MSGID(&MSGID) MSGF(&MSGF) MSGFLIB(&MSGL) IF COND(&MSGID *NE ' ') THEN(SNDPGMMSG + MSGID(&MSGID) MSGF(&MSGL/&MSGF) + MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE)) ENDPGM ================================================ About the author: Trevor is the founder of Sentinex Inc., a privately held software development and AS/400 auditing, security and control consultancy based in New York. He is the author of an AS/400-based, change management utility called Sentinel/CMU. Trevor has also designed and developed Sentinex/WSS, a workstation security software tool that takes control of the inactive terminal, protecting sensitive information from "intruding eyes" and prevents transaction input from potential embezzlers. Learn more about Trevor and the tools he's written at http://www.sentinex.com. ===================================================== LIVE ONLINE EVENT: Prevent an iSeries 400 Hack Attack ===================================================== If you liked this tip, you're going to love our Live Expert Q&A session with Trevor titled Top Techniques to Prevent an iSeries 400 Hack Attack. Join us Wednesday, July 25 at 2pm EDT (18:00 GMT), and Trevor will show you how to give your iSeries airtight security to avoid the risk of a hack attack. Learn to slam shut hidden backdoors, prevent intrusion with exit points, object authority, auditing and much more. Log on Wednesday at http://search400.techtarget.com/onlineEvents/0,289675,sid3,00.html Sponsored by PowerTech ======================================================== COMMENTS AND FEEDBACK ======================================================== Let us know what you thought about this tip. You can e-mail us at mailto:[EMAIL PROTECTED] with fulsome praise; it will boost our ego. (You can also mail your gripes, too, if you insist.) Or go to the tip on the site at http://search400.techtarget.com/tip/1,289483,sid3_gci755712,00.html to rate it. You may also post your comments in our live Discussion Forums at http://search400.discussions.techtarget.com. ------------------------------------- FEATURED TRAINING KIT ------------------------------------- Title: AS/400 Security Description: This three-course training kit takes you from the basics to the most advanced techniques for securing your AS/400. Learn how to define your specific security requirements, and design a strategy to meet those needs. Master security features for user profiles, object authorities and system values. Learn how to use System Service Tools (SST) and Dedicated Service Tools (DST) to perform auditing procedures. http://as400.gofcs.com/products/by_category/LIBS/WTL400/index.html =========================================================== If you would like to sponsor this or any techtarget newsletter, please contact Gabrielle DeRussy at mailto:[EMAIL PROTECTED]. =========================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://search400.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
