iSeries Agentless SecurityUser Guide
1.6VMC-SEC
VISUAL Message Center iSeries Agentless Security User GuideThe software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Copyright Notice
Copyright © 2013 Tango/04 All rights reserved.
Document date: August 2010
Document version: 2.4
Product version: 1.6
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani-cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04.
Trademarks
Any references to trademarked product names are owned by their respective companies.
Technical Support
For technical support visit our web site at www.tango04.com.
Tango/04 Computing Group S.L. Avda. Meridiana 358, 5 A-B Barcelona, 08027 Spain
Tel: +34 93 274 0051
Table of Contents
Table of Contents
Table of Contents .............................................................................. iii
How to Use this Guide .......................................................................vii
Chapter 1
Introduction ...................................................................................... 11.1. What You Will Find in this User Guide ........................................................... 1
Chapter 2
Architecture ....................................................................................... 3
Chapter 3
Requirements .................................................................................... 43.1. Services ......................................................................................................... 4
3.2. Communications ........................................................................................... 4
3.3. Object Permissions ........................................................................................ 4
Chapter 4
Common Configuration....................................................................... 64.1. Data Source Configuration............................................................................. 6
© 2013 Tango/04 Computing Group Page iii
Table of Contents
Chapter 5
iSeries Generic Command Agent .......................................................... 75.1. Data Source Configuration............................................................................. 7
5.1.1. General Settings Tab ............................................................................... 85.1.2. iSeries Settings Tab ................................................................................. 8
5.2. Default Health Script ...................................................................................... 9
5.3. ThinAgent-Specific Variables ......................................................................... 9
5.4. Field Map SmartConsole – ThinkServer ...................................................... 10
Chapter 6
iSeries Jobs ..................................................................................... 116.1. Common Configuration ................................................................................ 11
6.1.1. Data Source Configuration..................................................................... 116.1.2. Basic Connection Settings Tab .............................................................. 116.1.3. Advanced Connection Settings Tab....................................................... 126.1.4. Filters ..................................................................................................... 126.1.5. Graphication Settings – Interactive Transactions................................... 136.1.6. General Settings Tab ............................................................................. 146.1.7. Monitor Filters ........................................................................................ 14
6.2. Job ThinAgents Variables ............................................................................ 156.2.1. System General Variables ..................................................................... 156.2.2. Job-Specific Variables............................................................................ 17
6.3. Field Map: SmartConsole – ThinkServer ..................................................... 20
6.4. Interactive Job Inactivity............................................................................... 246.4.1. Default Health Configuration ................................................................. 246.4.2. Default Message Templates .................................................................. 246.4.3. ThinAgent Variables when Job Detail is *LOW ...................................... 25
Chapter 7
iSeries System Values & Network Attributes ThinAgent ........................ 267.1. Introduction .................................................................................................. 26
7.2. Data Source and Monitor Configuration....................................................... 267.2.1. Main Information .................................................................................... 277.2.2. General Connection Settings tab ........................................................... 277.2.3. Advanced Connection Settings tab ........................................................ 277.2.4. System Values and Network Attributes Tab........................................... 277.2.5. General Settings Tab ............................................................................. 28
7.3. ThinAgent-Specific Variables ....................................................................... 28
7.4. ThinAgents ................................................................................................... 28
7.5. Attention Program Monitor ........................................................................... 297.5.1. System Values and Network Attributes.................................................. 29
© 2013 Tango/04 Computing Group Page iv
Table of Contents
7.5.2. Default Health Configuration .................................................................. 297.5.3. Default Message Templates .................................................................. 29
7.6. Auditing Control Monitor............................................................................... 307.6.1. System Values and Network Attributes.................................................. 307.6.2. Default Health Configuration .................................................................. 317.6.3. Default Message Templates .................................................................. 31
7.7. Days Password Valid Monitor ...................................................................... 327.7.1. System Values and Network Attributes.................................................. 327.7.2. Default Health Configuration .................................................................. 327.7.3. Default Message Templates .................................................................. 33
7.8. Duplicate Password Monitor ........................................................................ 337.8.1. System Values and Network Attributes.................................................. 337.8.2. Default Health Configuration .................................................................. 347.8.3. Default Message Templates .................................................................. 34
7.9. Generic System Values and Network Attributes Monitor ............................. 357.9.1. Default Health Configuration .................................................................. 357.9.2. Default Message Templates .................................................................. 35
7.10. Inactive Interactive Job Monitor ................................................................. 367.10.1. System Values and Network Attributes................................................ 367.10.2. Default Health Configuration ................................................................ 367.10.3. Default Message Templates ................................................................ 37
7.11. Maximum Not Valid Sign-On Monitor......................................................... 377.11.1. System Values and Network Attributes................................................ 377.11.2. Default Health Configuration ................................................................ 387.11.3. Default Message Templates ................................................................ 38
7.12. Maximum Not Valid Sign-On Action Monitor.............................................. 387.12.1. System Values and Network Attributes................................................ 387.12.2. Default Health Configuration ................................................................ 397.12.3. Default Message Templates ................................................................ 39
7.13. Object Restore Security Monitor ................................................................ 407.13.1. System Values and Network Attributes................................................ 407.13.2. Default Health Configuration ................................................................ 417.13.3. Default Message Templates ................................................................ 41
7.14. Password Level Monitor............................................................................. 417.14.1. System Values and Network Attributes................................................ 427.14.2. Default Health Configuration ................................................................ 427.14.3. Default Message Templates ................................................................ 43
7.15. Security Level Monitor................................................................................ 437.15.1. System Values and Network Attributes................................................ 437.15.2. Default Health Configuration ............................................................... 447.15.3. Default Message Templates ................................................................ 44
© 2013 Tango/04 Computing Group Page v
Table of Contents
Appendices
Appendix A: Valid System Values ...................................................... 46
Appendix B: Valid Network Attributes................................................. 52
Appendix C: Python Functions ........................................................... 54
Appendix D: Contacting Tango/04 ..................................................... 55
About Tango/04 Computing Group .................................................... 57
Legal Notice .................................................................................... 58
© 2013 Tango/04 Computing Group Page vi
How to Use this Guide
© 2013 Tango/04 Computing Group Page vii
How to Use this Guide
This chapter explains how to use Tango/04 User Guides and understand the typographical conventions used in all Tango/04 documentation.
Typographical ConventionsThe following conventional terms, text formats, and symbols are used throughout Tango/04 printed documentation:
Convention Description
Boldface Commands, on-screen buttons and menu options.
Blue Italic References and links to other sections in the manual or further documentation containing relevant information.
Italic Text displayed on screen, or variables where the user must substitute their own details.
Monospace Input commands such as System i commands or code, or text that users must type in.
UPPERCASE Keyboard keys, such as CTRL for the Control key and F5 for the function key that is labeled F5.
Notes and useful additional information.
Tips and hints that will improve the users experience of working with this product.
Important additional information that the user is strongly advised to note.
Warning information. Failure to take note of this information could potentially lead to serious problems.
Introduction
Chapter 11 Introduction
This user guide provides guidance for the latest version of the VISUAL Message Center iSeries Agentless Security ThinAgents.
Our solution’s wide range of monitoring capabilities includes control and management of:
• iSeries Jobs
• System Values & Network Attributes
• iSeries Storage Management
We have also implemented a generic iSeries ThinAgent that can be used to run any OS/400 command and a number of specific ThinAgents that can monitor the size of a library or a group of libraries.
The iSeries Agentless ThinAgents are fully compatible with V5R1 and above.
Usually iSeries Agentless ThinAgents use shared data sources, allowing all monitors to perform their checks with a single data retrieval. To perform these system calls a user needs certain privileges to run each command. Be cautious when allocating privileges to avoid unnecessary security risks.
The iSeries Generic Command Agent and the iSeries Storage Management work using DataAdapter technology, while the iSeries Jobs and System Values & Network Attributes ThinAgents work using Java System i Server technology.
1.1 What You Will Find in this User GuideThis User Guide describes the purpose of each iSeries Agentless Security ThinAgent and any variables that are pre-configured for a particular iSeries Agentless Security ThinAgent. It also explains the minimum configuration settings required to run a particular iSeries Agentless Security monitor. For a full description of VISUAL Message Center ThinkServer functionality see the VISUAL Message Center ThinkServer User Guide.
The introduction chapter covers the basic purpose of the iSeries Agentless Security Agent and the common configuration of data sources and monitors.
The following chapters give a detailed description of the different ThinAgents, the default configuration and the variables important to each ThinAgent. You can use these variables to set Health conditions, configure actions, create templates, and send messages to the SmartConsole. There are also a number of generic variables available to all ThinAgents, which are described in the VISUAL Message Center ThinkServer User Guide.
© 2013 Tango/04 Computing Group Page 1
Introduction
Furthermore you will find a field map for each iSeries Agentless Security ThinAgent describing the
values as they appear in the SmartConsole and ThinkServer.
Note This document requires a basic knowledge of iSeries systems.
© 2013 Tango/04 Computing Group Page 2
Architecture
© 2013 Tango/04 Computing Group Page 3
Chapter 22 Architecture
ThinkServer communicates with either DataAdapter (iSeries Generic Command Agent), or the Java System i Server (iSeries Jobs, and System Values & Network Attributes ThinAgents) using SOAP, in order to retrieve the required variables in the expected format.
The Java System i Server, for example, calls different iSeries APIs to acquire the value of every variable. Once all variables have been recollected, the Java System i Server processes the received data, chooses the appropriate variables and converts their values, as shown in Figure 1 below.
After that, the values are sent back to ThinkServer, which smoothly assigns the new information to the data source. Then the monitors attached to the data source run their health rules and generate an event if the state changes.
Figure 1 – Architecture for an iSeries Agent using the Java System i Server
Requirements
Chapter 33 Requirements
3.1 Services
For the required services to run the user QUSER must be enabled.
Services typically run on subsystems QSERVER and QSYSWRK, and should therefore also be enabled. The services by default run automatically and it is complicated to get them not to start after an IPL.
The following services are required:
• as-svrmap: Service Mapper is required as the ports of other services may change. Runs on port 449
• as-signon: Sign On Service is used to authenticate the user on the machine. Runs over port 8476
• as-rmtcmd: Remote Command is used for running remote commands. Runs on port 8475
These services may be started using STRHOSTSVR and stopped with the command ENDHOSTSVR.
3.2 Communications The protocol used is TCP/IP. We need a TCP/IP connection between the iSeries Host and the Java System i Server and another TCP/IP connection between Think Server and the Java System i Server.
3.3 Object PermissionsThe user that will connect to the iSeries must have at least *USE authority for the API program objects QGYOLJOB and QWCRSSTS. By default any user in the iSeries has these authorities. However if you want to check a user’s authorities, run the following command from a privileged user:
Note The following requirements specifically affect Java System i Server related ThinAgents (iSeries Jobs, and System Values & Network Attributes ThinAgents).
Note The most important service over which calls are launched is as-rmtcmd (Remote Command / Program Call Server) and should always be active. It runs on port 8475 and belongs to subsystem QSYSWRK. The name of the daemon is QZRCSRVSD and the name of the service is QZRCSRVS.
© 2013 Tango/04 Computing Group Page 4
Requirements
EDTOBJAUT OBJ(*LIBL/QGYOLJOB) OBJTYPE(*PGM)
or
EDTOBJAUT OBJ(*LIBL/QWCRSSTS) OBJTYPE(*PGM)
If you need to add a new user, press F6. Then, enter the user we will use to connect and set the Object Authority to *USE.
© 2013 Tango/04 Computing Group Page 5
Common Configuration
© 2013 Tango/04 Computing Group Page 6
Chapter 44 Common Configuration
iSeries Agentless Operations ThinAgents either run using DataAdapter or on the Java System i Server which is usually installed in the same machine as ThinkServer.
4.1 Data Source ConfigurationWhen you first open an iSeries Health ThinAgent, you will be asked to configure the data source for the monitor. As the data source configuration differs slightly from one group of iSeries Agentless Operations ThinAgents to another, the default data source configuration is explained at the beginning of the chapters for each group of iSeries Agentless Operations ThinAgents. The settings can be changed to suit your needs.
iSeries Generic Command Agent
Chapter 55 iSeries Generic Command Agent
The iSeries Generic ThinAgent is the most flexible iSeries Agentless Operations ThinAgent. It uses any one of the many AS/400 commands that support OUTFILE output and can retrieve any iSeries data that is available from the OUTFILE output table.
When using this monitor, you must enter a series of SQL commands to create the output table, to retrieve data from the table and if necessary to delete auxiliary tables.
The related fields in the data source configuration are:
Table creation command: enter the SQL commands or OS/400 commands to create the output table. You can enter more than one statement separated by “&&&”.
Retrieval statement: enter the SQL command to retrieve the data generated by the commands configured above. Only one statement is allowed.
Post-retrieval statement: if necessary enter the commands needed to delete the auxiliary table/s. You can enter more than one statement separated by “&&&”. Note that some commands by default overwrite the data stored on the OUTFILE. Check your iSeries documentation or online help for details regarding each statement.
When configuring what commands to run, be aware that certain commands may take a long time to run. For example a complete scan of the objects in an extensive library.
5.1 Data Source ConfigurationWhen you open the iSeries Generic ThinAgent, you will first be asked to configure the data source for
the monitor. There are two tabs for the iSeries Generic ThinAgent: General settings and iSeries settings.
Note The settings can be changed to suit your needs. The default values are shown in the following tables.
© 2013 Tango/04 Computing Group Page 7
iSeries Generic Command Agent
5.1.1 General Settings Tab
Main Information
General settings
5.1.2 iSeries Settings TabHere you can configure the data source, the connection data required to make the connection, the number of rows to retrieve and the commands to execute.
The default configuration allows this ThinAgent to retrieve all the objects in the QGPL library. Data is stored on GRESULT file in QTEMP library, so that it does not need to be freed before disconnecting.
This configuration is only intended as an example.
Configuration Variables & Values Description
Name: iSeries Data Source
Name of the data source. Use the default provided or enter a new name for the data source.
Description: Enter a description of the data source
Host (informational only):
Add the name of the host you are monitoring to help quickly identify where problems occur.
Configuration Variables & Values Description
Refresh time: 300 secondsThe data source will be refreshed every 300 seconds.
Number of tries: 2If we detect an error we determine that we will retry two times...
Interval between tries: 10 seconds ...And that we will retry after 10 seconds.
Error retry time: 60 seconds
In the case that errors exceed the num-ber specified in Number of Tries (in this case more than once), we will wait for 60 seconds before starting the Windows Processes check again.
Note When you change the command to run, the data retrieved will change and script should be also changed.
Configuration Variables & Values Description
Database (ODBC DSN)
Name of the ODBC DSN configured on the localhost. You can run queries on remote databases, but the ODBC must be configured locally.
User User ID for connecting to the data-base (if required)
© 2013 Tango/04 Computing Group Page 8
iSeries Generic Command Agent
5.2 Default Health ScriptThis script generates a success Health state for each object in the library. The Health script can be easily changed to check whether there is an object with an extremely high size, whether an object exists at all, or any other check needed.
5.3 ThinAgent-Specific VariablesThis section describes the variables specific to this ThinAgent. For a description of the generic variables available in a ThinAgent see the VISUAL Message Center ThinkServer Configurator User Guide.
Variables regarding the ODBC DSN connection used to retrieve the data:
Password Password for connecting to the data-base (if required)
Maximum number of rows 50000
Maximum number of rows to retrieved by the query
Close connection each time x
The user can choose to leave the connection open so that all queries use the same connection, or to close the connection after running a query and reconnect to perform the next one. For queries that have long time intervals between executions it is bet-ter to choose reconnection mode. For frequently executed queries main-taining the same connection is a good option.
Table creation command
DSPOBJD OBJ(QGPL/*ALL) OBJ-TYPE(*ALL) OUTPUT(*OUT-FILE) OUT-FILE(QTEMP/GRESULT)
Commands and SQL queries to run to create the data this data source needs.
Retrieval statement SELECT * from QTEMP.GRESULT
SQL queries for retrieving the data we are interested in.
Post retrieval commands
SQL queries executed after the data has been retrieved to free the table used to temporarily store the data.
Configuration Variables & Values Description
Variable Description
DBName ODBC database name
Host Host name or IP address (This field is for information purposes only, it does not affect the execution of the query)
Query Executed query to retrieve the data
© 2013 Tango/04 Computing Group Page 9
iSeries Generic Command Agent
The following table contains variables specific to this kind of monitor.
5.4 Field Map SmartConsole – ThinkServer
Variable Description
RecordFieldName01..20 Name of a field of executed query
RecordFieldValue01…20 Value of a field of executed query
RowNumber Number of current row
NumberOfRows Number of rows retrieved by the query
MaxNumberOfRows Maximum number of rows to be retrieved by the query (as defined by the user)
SmartConsole ThinkServer Description
Var01 VSMScriptID Name of the script
Var02 Host IP Address or DNS Name of the Host
Var03 DBName ODBC database name
Var04 Query Query executed to retrieve the data
Var05 RecordFieldName01 Name of a field of executed query
Var06 RecordFieldValue01 Value of a field in original type
Var07 RecordFieldName02 Name of a field of executed query
Var08 RecordFieldValue02 Value of a field in original type
© 2013 Tango/04 Computing Group Page 10
iSeries Jobs
Chapter 66 iSeries Jobs
There are many iSeries system variables that report the job status of an iSeries host. Such variables include thread count, run priority, active job status, and pool information, among others.
iSeries Job ThinAgents monitor iSeries system variables and alert you whenever any of them indicates a possible risk to the integrity of your system.
Alerts can be for global events, providing a summary of all the jobs in the system, or specific events, with information regarding a specific job in the system.
6.1 Common ConfigurationiSeries Job ThinAgents run on the Java System i Server which is usually installed in the same machine as ThinkServer.
Most iSeries Job ThinAgents have the same default data source configuration.
6.1.1 Data Source ConfigurationWhen you first open an iSeries Job ThinAgent, you will be asked to configure the data source for the monitor. There are five tabs: Basic Connection Settings, Advanced Connection Settings, Filters, Graphication Settings and General Settings. The settings can be changed to suit your needs.
The Basic Connection Settings will always need to be configured to match the iSeries host that you want to monitor. The default values are shown in the following tables.
6.1.2 Basic Connection Settings Tab
Configuration Variables & Default Values Description
iSeries hostname: The host name or IP address of the iSeries host to which to connect.
iSeries username: The user name to use in order to log into the iSeries host.
iSeries password: The according password associated to the user name.
© 2013 Tango/04 Computing Group Page 11
iSeries Jobs
6.1.3 Advanced Connection Settings Tab
6.1.4 Filters
Configuration Variables & Default Values Description
Java System i Server Address: localhost
The host on which the Java System i Server is running. In a default installation, it should be localhost or 127.0.0.1.
Java System i Server Port: 8082
The port on which the Java System i Server is listening. In a default installa-tion, it should be port 8082.
Configuration Variables & Default Values Valid Values
Job Name: *ALL
A specific job name, a generic name, or one of the following special values:• *Only the job in which this program
is running. The user name and job number fields must be blank.
• *CURRENT: All jobs with the current job's name
• *ALL: All jobs. The user name and job type fields must be specified
User Name: *ALL
A specific user profile name, a generic name, or one of the following special val-ues:• *CURRENT: Jobs that use the
current job's user profile• *ALL: Jobs that use the specified
job name, regardless of the user name. The job name and job number fields must be specified
Job Type: *ALL
Possible values: • *ALL: All job types
• ASJ: Autostart job
• BCH: Batch job
• BCI: Batch immediate job
• EVK: Communications job - procedure start request job
• INT: Interactive job
• MRT: Batch - System/36 multiple requester terminal (MRT) job
• PJ: Prestart job
• PDJ &WRT: Writer job
• RDR: Reader job
• SBS: Subsystem job
• SYS: System job
© 2013 Tango/04 Computing Group Page 12
iSeries Jobs
The Job Detail parameter allows you to configure how much information is retrieved for each job. This parameter has important implications from the performance point of view. Possible values are:
• *LOW (the default)
• *HIGH
If the value is set as *HIGH then more variables will be collected for each job. However if your filter is dealing with a high number of jobs, setting a *HIGH level of detail will decrease performance substantially. In the following sections we will detail the variables collected by each ThinAgent regarding
whether they are with *LOW or *HIGH detail.
6.1.5 Graphication Settings – Interactive Transactions
Graphication settings are used in coordination with VMC Dashboard Server to produce graphs based on job interactive transactions.
The number of interactive transactions each job performs and and its average response time in seconds is collected. This value is compared to the above table to determine which range it falls in, the lower the value, the better the system performance. This information is then used to produce graphs in DashboardServer.
The default values can be edited to suit user needs.
Current User Profile: *ALL
A specific user profile name or one of the following special values: • *ALL: Jobs that use the specified
job name, user name and job type, regardless of the user profile under which the initial thread of the job is currently running
Configuration Variables & Default Values Valid Values
Warning When configuring the data source, remember to always use filters to improve performance. By default all monitors in the data source configuration are set to *ALL; however in some systems this will slow down system performance, and maybe it is not necessary to control all jobs in the system.
Configuration Variables & Default Values Description
Limit Of Range1 (average response time in seconds): 1
Limit Of Range2 (average response time in seconds): 2
Limit Of Range3 (average response time in seconds): 5
Limit Of Range4 (average response time in seconds): 10
Limit Of Range5 (average response time in seconds): 20
© 2013 Tango/04 Computing Group Page 13
iSeries Jobs
6.1.6 General Settings Tab
6.1.7 Monitor FiltersBesides the Filters in Data Source configuration previously described in see section 6.1.4 - Filters on page 12, any monitor for all iSeries Job ThinAgents can have a specific filter. The list of configuration variables potentially available for these monitor filters are:
Configuration Variables & Default Values Description
Timer: 90 secondsThe data source will be refreshed every 90 seconds.
Retries: 2If an error is detected, the operation is retried twice.
IntervalRetries: 30 secondsOnce an error is found, the operation is retried after 30 seconds.
ErrorRetryTime: 600 seconds
In the case that the number of errors exceeds the number specified in Number of Tries (in this case more than once), we will wait for 600 seconds before starting the check again.
Tip If users are experiencing problems with system performance, the timer value can be increased.
Configuration Variables Valid Values
Job Name A specific job name, a generic name, or *ALL special value
User Name A specific user name, a generic name, or *ALL special value
Current User Profile A specific user name, a generic name, or *ALL special value
Subsystem A specific subsystem name, a generic name, or *ALL special value
Subsystem Library A specific subsystem library name, a generic name, or *ALL special value
Job Type See valid values for Job Type variables in sec-tion 6.1.4 on page 13
Current Active Status Any of the valid values for "Status" column in a WRKACTJOB command screen
Minimum temporary storage used (MB) threshold A numeric value
Minimum processing unit used (%) Threshold A numeric value
© 2013 Tango/04 Computing Group Page 14
iSeries Jobs
6.2 Job ThinAgents VariablesIf you specify *HIGH as the Job Detail in the Data Source Filters, then all iSeries Job ThinAgents retrieve a larger list of variables than would be available if you select a *LOW job detail. However if you have selected a *LOW job detail each Job ThinAgent retrieves its specific list of variables. In the next sections you will find the lists for each ThinAgent. These variables can be used in any monitor attached to the same data source. They are also used to create the system snapshot that is included in all message templates, so that you have all the relevant data at hand when you encounter a problem.
You will notice that not all the variables are shown when the monitor is first created. They are retrieved and become visible after the first successful execution of the monitor.
The variables retrieved for the iSeries Job ThinAgents can be system general variables, for all jobs in the system, or variables for specific jobs.
6.2.1 System General VariablesThe system general variables are:
Variable name Description
averageResponseTime Average Response Time (ms) Of The System
currentProcessingCapacity Current Processing Capacity Of The System
elapsedTime Measure Elapsed Time (s)
elapsedTimeInMilliseconds Measure Elapsed Time (ms)
Host iSeries IP address or hostname
interactionsAboveRange5
Number Of Jobs With More Interac-tions Than Specified In Range 5 During The Elapsed Time In The System
interactionsBelowRange1
Number Of Jobs With Less Interac-tions Than Specified In Range 1 During The Elapsed Time In The System
interactionsBelowRange2
Number Of Jobs With Less Interac-tions Than Specified In Range 2 And More Interactions Than Specified In Range 1 During The Elapsed Time In The System
interactionsBelowRange3
Number Of Jobs With Less Interac-tions Than Specified In Range 3 And More Interactions Than Specified In Range 2 During The Elapsed Time In The System
interactionsBelowRange4
Number Of Jobs With Less Interac-tions Than Specified In Range 4 And More Interactions Than Specified In Range 3 During The Elapsed Time In The System
© 2013 Tango/04 Computing Group Page 15
iSeries Jobs
interactionsBelowRange5
Number Of Jobs With Less Interac-tions Than Specified In Range 5 And More Interactions Than Specified In Range 4 During The Elapsed Time In The System
maximumResponseTimeMaximum Response Time (ms) (The Job With The Highest Response Time) In The System
minimumResponseTimeMinimum Response Time (ms) (The Job With The Lowest Response Time) In The System
percentCPUUsed Total Percent Processing Unit Time (%) Used on the System
range1
The Value Of The Range 1 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 1 In The System)
range2
The Value Of The Range 2 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 2 And More Than Range 1 In The System)
range3
The Value Of The Range 3 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 3 And More Than Range 2 In The System)
range4
The Value Of The Range 4 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 4 And More Than Range 3 In The System)
range5
The Value Of The Range 5 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 5 And More Than Range 4 In The System)
systemDateAndTime Current Date And Time Of The Sys-tem (CYYMMDDHHMMSS format)
systemDateAndTimeDescriptive Current Date And Time Of The Sys-tem (Human-readable format)
systemDateAndTimeInMinutes Current Date And Time Of The Sys-tem (in minutes)
systemName System Name
totalActiveJobCount Total Number Of Active Jobs In The System
totalDatabaseLockWaits Total Number Of Database Lock Waits In The System
totalInteractiveJobCount Total Number Of Interactive Jobs In The System
Variable name Description
© 2013 Tango/04 Computing Group Page 16
iSeries Jobs
6.2.2 Job-Specific VariablesIf you specify a *LOW job detail in the data source, the variables for a specific job depend on every specific monitor. You can find the list of available variables in the corresponding section for each job monitor. If you have specified a *HIGH job detail in the Data Source, the variables for a specific job, are as follows:
totalInternalMachineLockWaits Total Number Of Internal Machine Lock Waits In The System
totalNondatabaseLockWaits Total Number Of Nondatabase Lock Waits In The System
totalThreadCount Total Number Of Threads In The System
totalTimeSpentOnDatabaseLockWaits Total Time Spent (ms) On Database Lock Waits In The System
totalTimeSpentOnInternalMachineLockWaits Total Time Spent (ms) On Internal Machine Lock Waits In The System
totalTimeSpentOnNondatabaseLockWaits Total Time Spent (ms) On Nondata-base Lock Waits In The System
VSMEventHasDataTRUE if the event has valid data, FALSE if there are no elements that match the filters
Variable name Description
Variable name Description
activeJobStatus Active Job Status
activeJobStatusForJobsEnding Active Job Status For Jobs Ending
currentJobStatus Current Job Status
currentSystemPoolIdentifier Current System Pool Identifier
currentUserProfile Current User Profile
dateAndTimeJobBecameActive Date And Time Job Became Active
dateAndTimeJobBecameActiveDescriptive Date And Time Job Became Active (Human-readable format)
dateAndTimeJobBecameActiveInMinutes Date And Time Job Became Active (in minutes)
dateAndTimeJobEnteredSystem Date And Time Job Entered System
dateAndTimeJobEnteredSystemDescriptive Date And Time Job Entered System (Human-readable format)
dateAndTimeJobEnteredSystemInMinutes Date And Time Job Entered System (in minutes)
dateAndTimeOfLastInteractionDate And Time Of Last Interaction (in minutes) (Zero for non-interactive jobs)
deviceName Device Name
© 2013 Tango/04 Computing Group Page 17
iSeries Jobs
functionName Function Name
functionType Function Type
groupProfileName Group Profile Name
jobDate Job Date
jobDescriptionNameQualified Job Description Name – Qualified
jobInformationStatus Job Information Status
jobName Job Name
jobNumber Job Number
jobQueueNameQualified Job Queue Name – Qualified
jobSubtype Job Subtype
jobType Job Type
jobTypeEnhanced Job Type Enhanced
jobUserIdentity Job User Identity
library Subsystem Library
memoryPoolName Memory Pool Name
numberOfAuxiliaryIORequests Number Of Auxiliary I/O Requests
numberOfDatabaseLockWaits Number Of Database Lock Waits
numberOfDatabaseLockWaitsDuringTheInterval
Number Of Database Lock Waits During The Interval
numberOfInteractiveTransactions Number Of Interactive Transactions
numberOfInteractiveTransactionsDuringTheInterval
Number Of Interactive Transactions During The Interval
numberOfInternalMachineLockWaits Number Of Internal Machine Lock Waits
numberOfInternalMachineLockWaitsDuringTheInterval
Number Of Internal Machine Lock Waits During The Interval
numberOfNondatabaseLockWaits Number Of Nondatabase Lock Waits
numberOfNondatabaseLockWaitsDuringTheInterval
Number Of Nondatabase Lock Waits During The Interval
percentProcessingUnitTimeUsedDuringTheInterval
Processing Unit Time Used (%) Dur-ing The Interval
printerDeviceName Printer Device Name
processIDNumber Process ID Number
Variable name Description
© 2013 Tango/04 Computing Group Page 18
iSeries Jobs
processingUnitTimeUsedDuringTheInterval Processing Unit Time Used (ms) Dur-ing The Interval
responseTimeDuringTheInterval Response Time (ms) During The Interval
responseTimePerTransactionDuringTheInterval
Response Time (ms) Per Transaction During The Interval
responseTimePerTransactionDuringTheIntervalInSeconds
Response Time (s) Per Transaction During The Interval
responseTotalTime Response Total Time (ms)
responseTotalTimeInSeconds Response Total Time (s)
runPriority Run Priority
serverType Server Type
subsystem Subsystem
subsystemDescriptionNameQualified Subsystem Description Name – Qualified
systemPoolIdentifier System Pool Identifier
temporaryStorageUsedInMegabytes Temporary Storage Used (MB)
threadCount Thread Count
timeOnCurrentStatus Time (s) On Current Status
timeSlice Time Slice (ms)
timeSpentOnDatabaseLockWaits Time (ms) Spent On Database Lock Waits
timeSpentOnDatabaseLockWaitsDuringTheInterval
Time Spent (ms) On Database Lock Waits During The Interval
timeSpentOnInternalMachineLockWaits Time Spent (ms) On Internal Machine Lock Waits
timeSpentOnInternalMachineLockWaitsDuringTheInterval
Time Spent (ms) On Internal Machine Lock Waits During The Interval
timeSpentOnNondatabaseLockWaits Time Spent (ms) On Nondatabase Lock Waits
timeSpentOnNondatabaseLockWaitsDuringTheInterval
Time Spent (ms) On Nondatabase Lock Waits During The Interval
totalProcessingUnitTimeUsed Total Processing Unit Time Used (ms)
totalProcessingUnitTimeUsedForDatabase Total Processing Unit Time Used (ms) For Database
username User Name
Variable name Description
© 2013 Tango/04 Computing Group Page 19
iSeries Jobs
6.3 Field Map: SmartConsole – ThinkServerThese ThinAgents send one global message summarizing all the jobs health in the system and messages to the SmartConsole for each individual job.
The following tables show how the different variables are represented in the SmartConsole and the
ThinkServer, along with a description of the variables. You can change these settings to suit your needs.
The default field map of the global health message is set in Event Variables and contains the following variables:
Important If you have selected a *LOW job detail, the ThinAgents will retrieve only some of the variables listed below and therefore they will arrive to the SmartConsole without their values. All Job ThinAgents have been carefully designed and the most important variables for each ThinAgent are retrieved in *LOW job detail, which should meet your requirements.
SmartConsole ThinkServer Description
Var1 VSMScriptID Name of the Script
Var2 systemName iSeries name
Var3 currentProcessingCapac-ity
Current Processing Capac-ity Of The System
Var4 totalActiveJobCountTotal Number Of Active Jobs In The System
Var5 totalThreadCountTotal Number Of Threads In The System
Var6 totalInteractiveJobCountTotal Number Of Interactive Jobs In The System
Var7 totalDatabaseLockWaitsTotal Number Of Database Lock Waits In The System
Var8 totalInternalMa-chineLockWaits
Total Number Of Internal Machine Lock Waits In The System
Var9 totalNondatabaseLock-Waits
Total Number Of Nondata-base Lock Waits In The System
Var10 totalTimeSpentOnDatabas-eLockWaits
Total Time Spent (ms) On Database Lock Waits In The System
Var11 totalTimeSpentOnInter-nalMachineLockWaits
Total Time Spent (ms) On Internal Machine Lock Waits In The System
Var12 totalTimeSpentOnNondata-baseLockWaits
Total Time Spent (ms) On Nondatabase Lock Waits In The System
Var13 minimumResponseTime
Minimum Response Time (ms) (The Job With The Lowest Response Time) In The System
© 2013 Tango/04 Computing Group Page 20
iSeries Jobs
Var14 averageResponseTimeAverage Response Time (ms) Of The System
Var15 maximumResponseTime
Maximum Response Time (ms) (The Job With The Highest Response Time) In The System
Var16 range1
The Value Of The Range 1 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 1 In The System)
Var17 range2
The Value Of The Range 2 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 2 And More Than Range 1 In The System)
Var18 range3
The Value Of The Range 3 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 3 And More Than Range 2 In The System)
Var19 range4
The Value Of The Range 4 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 4 And More Than Range 3 In The System)
Var20 range5
The Value Of The Range 5 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 5 And More Than Range 4 In The System)
Var21 interactionsBelowRange1
Number Of Jobs With Less Interactions Than Specified In Range 1 During The Elapsed Time In The Sys-tem
Var22 interactionsBelowRange2
Number Of Jobs With Less Interactions Than Specified In Range 2 And More Inter-actions Than Specified In Range 1 During The Elapsed Time In The Sys-tem
SmartConsole ThinkServer Description
© 2013 Tango/04 Computing Group Page 21
iSeries Jobs
The variables sent to the SmartConsole for the individual messages are set in Post Health-Check Actions and by default include the following variables:
Var23 interactionsBelowRange3
Number Of Jobs With Less Interactions Than Specified In Range 3 And More Inter-actions Than Specified In Range 2 During The Elapsed Time In The Sys-tem
Var24 interactionsBelowRange4
Number Of Jobs With Less Interactions Than Specified In Range 4 And More Inter-actions Than Specified In Range 3 During The Elapsed Time In The Sys-tem
Var25 interactionsBelowRange5
Number Of Jobs With Less Interactions Than Specified In Range 5 And More Inter-actions Than Specified In Range 4 During The Elapsed Time In The Sys-tem
Var26 interactionsAboveRange5
Number Of Jobs With More Interactions Than Specified In Range 5 During The Elapsed Time In The Sys-tem
Var27 elapsedTimeInMillisec-onds
Measure Elapsed Time (ms)
Var28 elapsedTime Measure Elapsed Time (s)
Var29 systemDateAndTimeDe-scriptive
Current Date And Time Of The System (Human-read-able format)
Var30 systemDateAndTimeCurrent Date And Time Of The System (CYYMMD-DHHMMSS format)
Var31 systemDateAndTimeIn-Minutes
Current Date And Time Of The System (in minutes)
Var32 percentCPUUsedTotal Percent Processing Unit Time (%) Used on the System
SmartConsole ThinkServer Description
SmartConsole ThinkServer Description
Var1 VSMScriptID Name of the Script
Var2 HostiSeries IP address or host-name
Var3 systemDateAndTimeCurrent Date And Time Of The System (CYYMMD-DHHMMSS format)
© 2013 Tango/04 Computing Group Page 22
iSeries Jobs
Var4 systemDateAndTimeDe-scriptive
Current Date And Time Of The System (Human-read-able format)
Var5 systemDateAndTimeIn-Minutes
Current Date And Time Of The System (in minutes)
Var6 jobNumber Job Number
Var7 userName User Name
Var8 jobName Job Name
Var9 activeJobStatus Active Job Status
Var10 currentSystemPoolIdenti-fier
Current System Pool Identi-fier
Var11 currentUserProfile Current User Profile
Var12 dateAndTimeJobBecameAc-tiveInMinutes
Date And Time Job Became Active (in minutes)
Var13 dateAndTimeJobEntered-SystemInMinutes
Date And Time Job Entered System (in minutes)
Var14 deviceName Device Name
Var15 functionName Function Name
Var16 functionType Function Type
Var17 groupProfileName Group Profile Name
Var18 jobDescriptionNameQuali-fied
Job Description Name – Qualified
Var19 jobQueueNameQualifiedJob Queue Name – Quali-fied
Var20 jobSubType Job Subtype
Var21 jobType Job Type
Var22 jobTypeEnhanced Job Type Enhanced
Var23 jobUserIdentity Job User Identity
Var24 memoryPoolName Memory Pool Name
Var25 numberOfAuxiliaryIORe-quests
Number Of Auxiliary I/O Requests
Var26 numberOfDatabaseLock-WaitsDuringTheInterval
Number Of Database Lock Waits During The Interval
Var27 dateAndTimeOfLastInter-action
Date And Time Of Last Interaction (in minutes) (Zero for non-interactive jobs)
Var28numberOfInteractive-TransactionsDuringTheIn-terval
Number Of Interactive Transactions During The Interval
SmartConsole ThinkServer Description
© 2013 Tango/04 Computing Group Page 23
iSeries Jobs
6.4 Interactive Job InactivityThe iSeries Interactive Job Inactivity monitor checks the time of inactivity of the specified interactive job. The Filters tab allows you to select which jobs to monitor.
6.4.1 Default Health Configuration The iSeries Interactive Job Inactivity monitor comes preconfigured to set object health to
• Warning: if the job is interactive and there has been no input from the session for 60 or more minutes.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
6.4.2 Default Message TemplatesThe iSeries Interactive Job Inactivity monitor includes the following default message information:
Var29numberOfInternalMa-chineLockWaitsDuringTh-eInterval
Number Of Internal Machine Lock Waits During The Interval
Var30 numberOfNondatabaseLock-WaitsDuringTheInterval
Number Of Nondatabase Lock Waits During The Interval
Var31 percentCPUUsedTotal Percent Processing Unit Time (%) Used on the System
Var32percentProcessingUnit-TimeUsedDuringTheInter-val
Processing Unit Time Used (%) During The Interval
Var33 processingUnitTimeUsed-DuringTheInterval
Processing Unit Time Used (ms) During The Interval
Var34 responseTimeDuringTheIn-terval
Response Time (ms) Dur-ing The Interval
Var35 responseTimePerTransac-tionDuringTheInterval
Response Time (ms) Per Transaction During The Interval
Var36 runPriority Run Priority
Var37 subsystemDescription-NameQualified
Subsystem Description Name – Qualified
Var38 temporaryStorageUsedIn-Megabytes
Temporary Storage Used (MB)
Var39 threadCount Thread Count
Var40 timeOnCurrentStatus Time (s) On Current Status
SmartConsole ThinkServer Description
© 2013 Tango/04 Computing Group Page 24
iSeries Jobs
Global event template
Specific event template
You can adjust the default templates to suit your monitoring needs.
6.4.3 ThinAgent Variables when Job Detail is *LOWBesides the System general variables that are always available (see section 6.2.1 - System General Variables on page 15), the job specific ThinAgent variables available when a *LOW job detail is specified
in the data source are listed here:
System: &systemName (&Host)
There is a total of &totalActiveJobCount active jobs, of which &totalInteractiveJobCount are interactive, and a total of &totalThreadCount threads.
This interactive job was inactive for &localTimeInactive minutes.
Current value: &localTimeInactive minutes.
Cause: a check has been executed to see if the value of this parameter is within range.
Recovery: No action required.
Host: &Host Subsystem: &subsystem Subsystem library: &library
Job: &jobNumber/&userName/&jobName
Current active status: &activeJobStatus\nCurrent user profile: &cur-rentUserProfile
Job entered the system on &dateAndTimeJobEnteredSystemDescriptive
Job became active on &dateAndTimeJobBecameActiveDescriptive
Variable Name
activeJobStatus
currentUserProfile
dateAndTimeJobBecameActiveDescriptive
dateAndTimeJobEnteredSystemDescriptive
dateAndTimeOfLastInteraction
jobName
jobNumber
jobType
jobTypeEnhanced
subsystemDescriptionNameQualified
userName
© 2013 Tango/04 Computing Group Page 25
iSeries System Values & Network Attributes ThinAgent
Chapter 77 iSeries System Values & Network Attributes ThinAgent
7.1 IntroductionThe iSeries System Values and Network Attributes ThinAgent is a very versatile iSeries Agentless Security ThinAgent. It can monitor any combination of up to five iSeries system values and network attributes in any one monitor.
With the iSeries System Values and Network Attributes ThinAgent it is possible to create a huge range of monitors which can cover all your iSeries security tasks.
When creating monitors from this ThinAgent, you select which system values or network attributes you wish to monitor, when configuring the data source and monitor settings. There are over 150 valid values and attributes to choose from, which are listed in the appendix of this document.
7.2 Data Source and Monitor ConfigurationWhen you open the iSeries System Values and Network Attributes ThinAgent, you will first be asked to configure the data source for the monitor. The data source and monitor are configured in the same window, which contains main monitor information details and four tabs:
• General Connection Settings
• Advanced Connection Settings
• System Values and Network Attributes
• General Settings
Note The settings can be changed to suit your needs. The default values are shown in the following tables.
© 2013 Tango/04 Computing Group Page 26
iSeries System Values & Network Attributes ThinAgent
7.2.1 Main Information
7.2.2 General Connection Settings tab
7.2.3 Advanced Connection Settings tab
7.2.4 System Values and Network Attributes TabThe System Values and Network Attribute tabs is where you customise the monitor to enable it to monitor exactly what you want it to. You can enter a combination of up to five different system values or network attributes, adding one only to each of the fields available.
For a list of all valid iSeries system values and network attributes and their descriptions, see Appendix A-D.
Configuration Variables & Default Values Description
Name:
iSeries System Values and Net-work Attributes Agent (#)
Name of the monitor. Use the default provided or enter a new name for the data source. Each new monitor, by default, will be assigned a sequential numerical value in parenthesis.
Description: Enter a description of the data source
Configuration Variables & Default Values Description
iSeries hostname: The host name or IP address of the iSeries host to which to connect.
iSeries username: The user name to use in order to log into the iSeries host.
iSeries password: The according password associated to the user name.
Configuration Variables & Default Values Description
Java System i Server Address: localhost
The host on which the Java System i Server is running. In a default installation, it should be localhost or 127.0.0.1.
Java System i Server Port: 8082
The port on which the Java System i Server is listening. In a default installa-tion, it should be port 8082.
© 2013 Tango/04 Computing Group Page 27
iSeries System Values & Network Attributes ThinAgent
Figure 2 – The System Values and Network Attributes tab in the DataSource & Monitor Configuration window. In this example we can see the iSeries Security Level Agent which uses the QSECURITY
system value by default.
7.2.5 General Settings Tab
7.3 ThinAgent-Specific VariablesThe iSeries System Values and Network Attributes ThinAgent has no default variables. Variables are added when you create the monitor. The variables used by each individual monitor depend on the system values or network attributes selected for monitoring in the Data Source and Monitor Configuration.
7.4 ThinAgentsThe iSeries System Values and Network Attributes ThinAgent comes with ten pre-configured monitors to make it easy to get started and also act as examples and provide a guideline to creating further custom monitors.
There is also a further generic monitor included which comes with no pre-configured system values and is ready for you to add your own configuration.
Configuration Variables & Default Values Description
Timer: 60 The data source will be refreshed every 60 seconds.
Retries: 2If an error is detected, the operation is retried twice.
IntervalRetries: 15 Once an error is found, the operation is retried after 15 seconds.
ErrorRetryTime: 600
In the case that the number of errors exceeds the number specified in Number of Tries (in this case more than once), we will wait for 600 seconds before starting the check again.
© 2013 Tango/04 Computing Group Page 28
iSeries System Values & Network Attributes ThinAgent
Each of the iSeries System Values and Network Attributes monitors are explained in the following
sections.
7.5 Attention Program MonitorThe Attention Program monitor checks that the attention program defined by the QATNPGM (attention program) system value is set to the default one. Non-default programs could have security holes that could allow privilege escalation.
7.5.1 System Values and Network Attributes
QATNPGM is the attention program system value. The first 10 characters contain the program name and the last 10 characters contain the library name. The following special values are allowed:
• *ASSIST: The Operational Assistant main menu appears when the Attention key is pressed.
• *NONE: No attention program is called when the Attention key is pressed.
7.5.2 Default Health ConfigurationThe Attention Program monitor comes preconfigured to set object health to
• Warning: if the QATNPGM value is anything other than *NONE, *ASSIST or QEZMAIN QSYS.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.5.3 Default Message TemplatesThe Attention Program monitor includes the following default message information:
The system value QATNPGM is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
Note Some system values and network attributes that return numbers are actually treated as strings, for example the Days Password Valid monitor is configured to produce a warning if the QPWDEXPITV value is greater than 000090.
Note All System Values and Network Attributes ThinAgents intrinsically recover the system hostname (SYSNAME network attribute).
Configuration Variables & Default Values Description
System Value 1: QATNPGM Attention program
© 2013 Tango/04 Computing Group Page 29
iSeries System Values & Network Attributes ThinAgent
7.6 Auditing Control MonitorThe Auditing Control monitor checks that the auditing control defined by the QAUDCTL (auditing control) system value is set to be auditing critical parts of the system.
7.6.1 System Values and Network Attributes
The QAUDCTL system value is the on/off switch for object- and user-level auditing. The values allowed are:
• *NONE: No auditing of objects and no auditing of user actions will be done on the system. In addition, no auditing that is controlled by the QAUDLVL system value will be done.
• *OBJAUD: Objects that have been selected by the Change Object Auditing (CHGOBJAUD) command will be audited.
• *AUDLVL: Changes controlled by the QAUDLVL system value and the AUDLVL parameter on the Change User Auditing (CHGUSRAUD) command will be audited.
QAUDLVL is the security auditing level. This system value specifies the level of security auditing that should occur on the system.
Critical / Warning / Minor:
The attention program is not set to an adequate value.
The attention program is shown when the user presses the attention key. Setting this value to other than *NONE or *ASSIST (QSYS/QEZMAIN) implies a security hazard because external applications could allow authority escalation to unauthorized users.
Current value: QATNPGM = &QATNPGM
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QATNPGM to the recommended value (*NONE or *ASSIST) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The attention program is set to an adequate value.
The attention program is shown when the user presses the attention key.
Current value: QATNPGM = &QATNPGM
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QAUDCTL Auditing control
System Value 2: QAUDLVL Auditing level
System Value 3: QAUDLVL2 Auditing level 2
© 2013 Tango/04 Computing Group Page 30
iSeries System Values & Network Attributes ThinAgent
The values allowed are:
• *AUTFAIL: Authorization failures are audited.
• *CREATE: The creation of objects is audited.
• *DELETE: All object deletions are audited.
• *JOBDTA: Actions by an audited user that affect a job will be audited.
• *NONE: No auditing occurs on the system.
• *OBJMGT: Function of generic objects is audited.
• *OFCSRV: Auditing of OfficeVision licensed program.
• *PGMADP: Program adoption.
• *PGMFAIL: Integrity violations (for example, blocked instruction, validation value failure, and domain violation) are audited.
• *PRTDTA: Printing of spool files or direct printing.
• *SAVRST: Save and restore information is audited.
• *SECURITY: All security-related functions are audited.
• *SERVICE: Use of the system service tools by a user will be audited.
• *SPLFDTA: Spool file auditing.
• *SYSMGT: Use of system management functions by an audited user will be audited.
7.6.2 Default Health ConfigurationThe Auditing Control monitor comes preconfigured to set object health to
• Warning: if the QAUDCTL value is equal to “*NONE”.
• Minor: if the QAUDCTL.find('*OBJAUD')value is equal to -1 or the QAUDCTL.find('*AUDLVL') value is equal to -1.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.6.3 Default Message TemplatesThe Auditing Control monitor includes the following default message information:
The system values QAUDCTL and QAUDLVL are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
© 2013 Tango/04 Computing Group Page 31
iSeries System Values & Network Attributes ThinAgent
7.7 Days Password Valid MonitorThe Days Password Valid monitor checks that the days a password, defined by the QPWDEXPITV (days password valid) system value, is valid and is low enough to warrant proper password changing, that prevents the use of the same password indefinitely.
7.7.1 System Values and Network Attributes
QPWDEXPITV is the system value for the password expiration interval. It controls the number of days that passwords are valid by keeping track of the number of days since you changed your password or created a user profile. The possible values are:
• *NOMAX: A password can be used an unlimited number of days.
• 1-366: The number of days before the password cannot be used.
7.7.2 Default Health ConfigurationThe Days Password Valid monitor comes preconfigured to set object health to
• Warning: if the QPWDEXPITV value is equal to "*NOMAX" or the QPWDEXPITV value is greater than 000090.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
Critical / Warning / Minor:
The auditing control is not configured properly.
This system value is the on/off switch for object-level and user-level auditing. Neither *OBJAUD nor *AUDLVL are set. Not auditing the system will prevent tracking dangerous changes made by users.
Current value: QAUDCTL = &QAUDCTL
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QAUDCTL to the recommended value (*OBJAUD and *AUDLVL) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The auditing control is configured properly.
This system value is the on/off switch for object-level and user-level auditing.
Current value: QAUDCTL = &QAUDCTL
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QPWDEXPITV Days password valid
© 2013 Tango/04 Computing Group Page 32
iSeries System Values & Network Attributes ThinAgent
7.7.3 Default Message TemplatesThe Job Duration Monitor includes the following default message information:
The system value QPWDEXPITV is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.8 Duplicate Password MonitorThe Duplicate Password monitor checks that passwords, defined by the QPWDRQDDIF (duplicate password) system value, are not reused when being changed, in order to prevent the same set of passwords indefinitely.
7.8.1 System Values and Network Attributes
QPWDRQDDIF controls duplicate passwords. The possible values are:
• 0: A password can be the same as any previously used password (except the immediately preceding password).
Critical / Warning / Minor:
The days password valid system value is not set to an adequate value.
The days password valid system value controls the number of days that passwords are valid. Setting this value to *NOMAX or too many days implies a security hazard because a brute force attack could be per-formed during this time and allow password disclosure. Notice that this system value might not be applied to all user profiles because it can be specified for each user profile independently.
Current value: QPWDEXPITV = &QPWDEXPITV
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QPWDEXPITV to the recommended value (90 or less) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The days password valid system value is set to an adequate value.
The days password valid system value controls the number of days that passwords are valid. Setting this value to *NOMAX or too many days implies a security hazard because a brute force attack could be per-formed during this time and allow password disclosure. Notice that this system value might not be applied to all user profiles because it can be specified for each user profile independently.
Current value: QPWDEXPITV = &QPWDEXPITV
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QPWDRQDDIF Duplicate password
© 2013 Tango/04 Computing Group Page 33
iSeries System Values & Network Attributes ThinAgent
• 1: A password must be different from the previous 32 passwords.
• 2: A password must be different from the previous 24 passwords.
• 3: A password must be different from the previous 18 passwords.
• 4: A password must be different from the previous 12 passwords.
• 5: A password must be different from the previous 10 passwords.
• 6: A password must be different from the previous 8 passwords.
• 7: A password must be different from the previous 6 passwords.
• 8: A password must be different from the previous 4 passwords.
7.8.2 Default Health ConfigurationThe Duplicate Password monitor comes preconfigured to set object health to
• Warning: if the QPWDRQDDIF value is equal to "0" or greater than "5"
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.8.3 Default Message TemplatesThe Duplicate Password monitor includes the following default message information:
Critical:
The duplicate password system value is not correct.
This system value controls how many different passwords have to be used before being able to re-use an older one. Using always the same set of passwords is a security hazard which could allow password dis-closure through a brute force attack.
Current value: QPWDRQDDIF = &QPWDRQDDIF
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QPWDRQDDIF to the recommended value (1, 2, 3, 4 or 5) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
© 2013 Tango/04 Computing Group Page 34
iSeries System Values & Network Attributes ThinAgent
The system value QPWDRQDDIF is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.9 Generic System Values and Network Attributes MonitorThe Generic iSeries System Values and Network Attributes monitor does not come pre-configured with
any system values or network attributes and is simply ready for you to add your own configuration.
No system values or network attributes were configured. Please, configure at least one variable.
7.9.1 Default Health ConfigurationThe Generic iSeries System Values and Network Attributes monitor comes preconfigured to set object health to:
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.9.2 Default Message TemplatesThe Generic iSeries System Values and Network Attributes monitor includes the following default message information:
Warning / Minor:
The duplicate password system value is not correct.
This system value controls how many different passwords have to be used before being able to re-use an older one. Using always the same set of passwords is a security hazard which could allow password dis-closure through a brute force attack.
Current value: QPWDRQDDIF = &QPWDRQDDIF
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QINACTITV to the recommended value (1, 2, 3, 4 or 5) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The duplicate password system value is correct.
This system value controls how many different passwords have to be used before being able to re-use an older one. Using always the same set of passwords is a security hazard which could allow password dis-closure through a brute force attack.
Current value: QPWDRQDDIF = &QPWDRQDDIF
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Note This monitor will return an error message in VISUAL Message Center Configurator while it runs without any values configured to monitor:
© 2013 Tango/04 Computing Group Page 35
iSeries System Values & Network Attributes ThinAgent
There are no system values included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.10 Inactive Interactive Job MonitorThe Inactive Interactive Job monitor checks that the inactive interactive job time-out defined by the QINACTITV (inactive job time-out) system value is low enough to prevent on-site user session stealing.
7.10.1 System Values and Network Attributes
QINACTITV specifies the inactive job time-out interval in minutes. It specifies when the system takes action on inactive interactive jobs. QINACTITV must be one of the following values:
• *NONE: The system does not check for inactive interactive jobs.
• 5-300: The number of minutes a job can be inactive before action is taken.
QDSCJOBITV indicates the length of time, in minutes; an interactive job can be disconnected before it is ended. The values for QDSCJOBITV are:
• 5-1440: The range of the disconnect interval.
• *NONE. There is no disconnect interval.
7.10.2 Default Health ConfigurationThe Inactive Interactive Job Monitor comes preconfigured to set object health to
• Warning: if the QINACTITV value is greater than 0000000015 or is equal to "*NONE" or the QDSCJOBITV value is greater than 0000000060 or is equal to "*NONE".
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
Critical / Warning / Minor:
Some retrieved system values or network attributes do not have proper values.
Current value: NONE
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Success:
All retrieved system values and network attributes have proper values.
Current value: NONE
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Configuration Variables & Default Values Description
System Value 1: QINACTITV Inactive job time-out
System Value 2: QDSCJOBITV Disconnect job interval
© 2013 Tango/04 Computing Group Page 36
iSeries System Values & Network Attributes ThinAgent
7.10.3 Default Message TemplatesThe Inactive Interactive Job Monitor includes the following default message information:
The system values QINACTITV and QDSCJOBITV are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.11 Maximum Not Valid Sign-On MonitorThe Maximum Not Valid Sign-On monitor checks that the maximum not valid sign-on attempts, defined by the QMAXSIGN (maximum not valid sign-on) system value, is low enough to warrant that no forcible attacks can be made, which could lead to password disclosure.
7.11.1 System Values and Network Attributes
QMAXSIGN specifies the maximum number of incorrect sign-on attempts allowed. The possible values are:
• 1-25. The maximum number of sign-on attempts allowed.
• *NOMAX: There is no maximum number of sign-on attempts.
Critical / Warning / Minor:
The inactive job configuration is not correct.
This system value specifies the inactive job time-out interval in min-utes. After the time-out interval the system takes action on inactive interactive jobs. A high time-out interval means that the interactive session will remain open for a long time. If the user that opened the session is missing, another user could take over the session and use it illicitly.
Current value: QINACTITV = &QINACTITV QDSCJOBITV = &QDSCJOBITV
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QINACTITV to the recommended value (60 or below) using the CHGSYSVAL command. Set QDSCJOBITV to the recommended value (60 or below) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The inactive job configuration is correct.
This system value specifies the inactive job time-out interval in min-utes. After the time-out interval the system takes action on inactive interactive jobs.
Current value: QINACTITV = &QINACTITV QDSCJOBITV = &QDSCJOBITV
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QMAXSIGN Maximum not valid sign-on
© 2013 Tango/04 Computing Group Page 37
iSeries System Values & Network Attributes ThinAgent
7.11.2 Default Health ConfigurationThe Maximum Not Valid Sign-On comes preconfigured to set object health to
• Warning: if the QMAXSIGN value is equal to '*NOMAX' or is more than 000003.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.11.3 Default Message TemplatesThe Maximum Not Valid Sign-On includes the following default message information:
The system value QMAXSIGN is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.12 Maximum Not Valid Sign-On Action MonitorThe Maximum Not Valid Sign-On Action monitor checks that the maximum not valid sign-on action, defined by the QMAXSGNACN (maximum sign-on action) system value, is set to at least disable the user account in order to prevent forcible attacks, which could lead to password disclosure.
7.12.1 System Values and Network Attributes
Critical / Warning / Minor:
The maximum not valid sign-on system value is not configured properly.
The maximum not valid sign-on system value specified the maximum num-ber of incorrect sign-on attempts allowed before the system takes action. Allowing an infinite number of sign-on attempts allows brute force attacks which could lead to password disclosure.
Current value: QMAXSIGN = &QMAXSIGN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QMAXSIGN to the recommended value (1-25) using the CHG-SYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The maximum not valid sign-on system value is configured properly.
The maximum not valid sign-on system value specified the maximum num-ber of incorrect sign-on attempts allowed before the system takes action.
Current value: QMAXSIGN = &QMAXSIGN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QMAXSGNACN Maximum sign-on action
© 2013 Tango/04 Computing Group Page 38
iSeries System Values & Network Attributes ThinAgent
QMAXSGNACN specifies the maximum sign-on attempts action or how the system reacts when the maximum number of consecutive incorrect sign-on attempts (the system value QMAXSIGN) is reached. The possible values are:
• 1: Varies off the device if limit is reached.
• 2. Disables the user profile if limit is reached.
• 3: Varies off the device and disables the user profile if the limit is reached.
7.12.2 Default Health ConfigurationThe Maximum Not Valid Sign-On Action comes preconfigured to set object health to
• Warning: if the QMAXSGNACN value is less than 2.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.12.3 Default Message TemplatesThe Maximum Not Valid Sign-On Action includes the following default message information:
Critical / Warning / Minor:
The maximum not valid sign-on action system value is not configured properly.
The maximum not valid sign-on action system value specifies the action to take when maximum number of incorrect sign-on attempts is reached. Disabling the device when remote connections are allowed does not improve the security of the system because devices are assigned every time a connection is created. Disabling only the device allows brute force attacks which could lead to password disclosure.
Current value: QMAXSGNACN = &QMAXSGNACN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QMAXSGNACN to the recommended value (2-3) using the CHG-SYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The maximum not valid sign-on action system value is configured prop-erly.
The maximum not valid sign-on action system value specifies the action to take when maximum number of incorrect sign-on attempts is reached. Disabling the device when remote connections are allowed does not improve the security of the system because devices are assigned every time a connection is created. Disabling only the device allows brute force attacks which could lead to password disclosure.
Current value: QMAXSGNACN = &QMAXSGNACN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
© 2013 Tango/04 Computing Group Page 39
iSeries System Values & Network Attributes ThinAgent
The system value QMAXSGNACN is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.13 Object Restore Security MonitorThe Object Restore Security monitor checks that the object restore security, defined by the QVFYOBJRST (verify object on restore) system value, is high enough to protect the system from undesired object restorations.
7.13.1 System Values and Network Attributes
QVFYOBJRST is the system value for verify object on restore. This value is used to specify the policy to be used for object signature verification during a restore operation. The possible values are:
• 1: Do not verify signatures on restore. Restore all objects regardless of their signature.
• 2: Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. Restore inherit-state and system-state objects only if they have valid signatures.
• 3: Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. Restore inherit-state and system-state objects only if they have valid signatures.
• 4: Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. Restore inherit-state and system-state objects only if they have valid signatures.
• 5: Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. Restore inherit-state and system-state objects only if they have valid signatures.
QALWOBJRST specifies a list of security options that are used when restoring objects to the system:
• *ALL: All objects regardless of any security sensitive attributes or validation errors will be restored.
• *NONE: No objects with security sensitive attributes will be restored.
• *ALWSYSSTT: Allow restore of system state objects.
• *ALWPGMADP: Allow restore of objects that adopt authority.
• *ALWPTF: Allow system state objects, objects that adopt authority, objects that have the S_ISUID(set-user-ID) attribute enabled, and objects that have the S-ISGID(set-group-ID) attribute enabled to be restored to the system during PTF install.
• *ALWSETUID: Allows files that have the S_ISUID (set-user-ID) attribute enabled to be restored.
Configuration Variables & Default Values Description
System Value 1: QVFYOBJRST Verify object on restore
System Value 2: QALWOBJRST Allow object restore options
© 2013 Tango/04 Computing Group Page 40
iSeries System Values & Network Attributes ThinAgent
• *ALWSETGID: Allows files that have the S_ISGID (set-group-ID) attribute enabled to be restored.
• *ALWVLDERR: Allow objects with validation errors to be restored.
7.13.2 Default Health ConfigurationThe Object Restore Security comes preconfigured to set object health to
• Warning: if the QVFYOBJRST value is less than 2
• Minor: if the QVFYOBJRST value is less than 5 or is not '*NONE'
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.13.3 Default Message TemplatesThe Object Restore Security includes the following default message information:
The system values QVFYOBJRST and QALWOBJRST are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.14 Password Level MonitorThe Password Level monitor checks that the password level, defined by the QPWDLVL (password level) system value, is high enough to warrant good passwords, and also that the minimum password length,
Critical / Warning / Minor:
The object restore security does not have proper values.
These system values are used to specify the policy to be used for object signature verfication during a restore operation and a list of security options that are used when restoring objects to the system. The current values either do not check for security sensitive attri-butes and validation errors or do not verify signatures on restore properly.
Current value: QVFYOBJRST = &QVFYOBJRST QALWOBJRST = &QALWOBJRST
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QVFYOBJRST to the recommended value (5) using the CHG-SYSVAL command. Set QALWOBJRST to the recommended value (*NONE) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The object restore security has proper values.
These system values are used to specify the policy to be used for object signature verfication during a restore operation and a list of security options that are used when restoring objects to the system.
Current value: QVFYOBJRST = &QVFYOBJRST QALWOBJRST = &QALWOBJRST
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
© 2013 Tango/04 Computing Group Page 41
iSeries System Values & Network Attributes ThinAgent
defined by the QPWDMINLEN (minimum password length) system value, is high enough to warrant long passwords for increased security.
7.14.1 System Values and Network Attributes
QPWDLVL specifies the level of password support on the system. The possible values are:
• 0: User profile passwords with a length of 1-10 characters are supported.
• 1: User profile passwords with a length of 1-10 characters are supported. AS/400 NetServer passwords for Windows 95/98/ME clients will be removed from the system.
• 2: User profile passwords with a length of 1-128 characters are supported.
• 3: User profile passwords with a length of 1-128 characters are supported. AS/400 NetServer
passwords for Windows 95/98/ME clients will be removed from the system.
QPWDMINLEN specifies the minimum length of a password. It controls the minimum number of characters in a password. The possible values are:
• 1-128: The minimum number of characters that can be specified for a password.
If the system is operating at QPWDLVL (password level) 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128.
QPWDMAXLEN specifies the maximum length of a password. It controls the maximum number of characters in a password. The possible values are:
• 1-128: The maximum number of characters that can be specified for a password.
If the system is operating at QPWDLVL (password level) 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128.
7.14.2 Default Health ConfigurationThe Password Level Monitor comes preconfigured to set object health to
• Warning: if the QPWDLVL value is less than 2.
• Minor: if the QPWDMINLEN value is less than 6.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
Configuration Variables & Default Values Description
System Value 1: QPWDLVL Password level
System Value 2: QPWDMINLEN Minimum password length
System Value 3: QPWDMAXLEN Maximum password length
Note If this system value has been changed since the last IPL, this value is not the password level the system is currently using. This value will be in effect after the next IPL.
© 2013 Tango/04 Computing Group Page 42
iSeries System Values & Network Attributes ThinAgent
7.14.3 Default Message TemplatesThe Password Level Monitor includes the following default message information:
The system values QPWDLVL and QPWDMINLEN are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
7.15 Security Level MonitorThe Security Level monitor checks that the security level, defined by the QSECURITY system value, is high enough to warrant appropriate system security.
7.15.1 System Values and Network Attributes
QSECURITY is the system security level indicator. The possible values are:
• 10: The system does not require a password to sign-on. The user has access to all system resources.
• 20: The system requires a password to sign-on. The user has access to all system resources.
• 30: The system requires a password to sign-on, and users must have authority to access objects and system resources.
Critical / Warning / Minor:
The password level does not have proper values.
These system values specify the length of password supported and the minimum password length. A low length of password or minimum password length will prevent enforcing users to use large passwords. Short passwords are a security hazard because they are vulnerable to brute force attacks which could lead to password disclosure.
Current value: QPWDLVL = &QPWDLVL QPWDMINLEN = &QPWDMINLEN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QPWDLVL to the recommended value (2 or above) using the CHGSYSVAL command. Set QPWDMINLEN to the recommended value (6 or above) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The password level has proper values.
These system values specify the length of password supported and the minimum password length.
Current value: QPWDLVL = &QPWDLVL QPWDMINLEN = &QPWDMINLEN
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host (&HOSTNAME)
Configuration Variables & Default Values Description
System Value 1: QSECURITY Security level
© 2013 Tango/04 Computing Group Page 43
iSeries System Values & Network Attributes ThinAgent
• 40: The system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail.
• 50: The system requires a password to sign-on, and users must have authority to access objects and system resources. Security and integrity of the QTEMP library and user domain (*USRxxx) objects are enforced. (Use system value QALWUSRDMN to change which libraries allow *USRxxx objects.) Programs fail if they try to pass unsupported parameter values to
supported interfaces or if they try to access objects through interfaces that are not supported.
7.15.2 Default Health Configuration The Security Level monitor comes preconfigured to set object health to
• Warning: if the QSECURITY value is less than 40.
• Success: if the monitor is able to retrieve data from the iSeries.
We recommend you configure the monitor health to suit your specific requirements.
7.15.3 Default Message TemplatesThe Security Level monitor includes the following message information:
Note If this system value has been changed since the last IPL, this value is not the security level the system is currently using. This value will be in effect after the next IPL.
Critical / Warning / Minor:
The security level does not have proper values.
This system value is the system security indicator. From level 40 the system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail. The cur-rent security level is below 40 which means a security risk to the system because there could be no required password to sign-on, the users could have access to all system resources or programs that use unsupported interfaces would not fail.
Current value: QSECURITY = &QSECURITY
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: Set QSECURITY to the recommended value (40 or above) using the CHGSYSVAL command.
Host: &Host (&HOSTNAME)
Success:
The security level has proper values.
This system value is the system security indicator. From level 40 the system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail.
Current value: QSECURITY = &QSECURITY
Cause: a check has been executed to see if the value of this system value or network attribute is within range.
Recovery: No action required.
Host: &Host
© 2013 Tango/04 Computing Group Page 44
iSeries System Values & Network Attributes ThinAgent
The system value QSECURITY is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.
© 2013 Tango/04 Computing Group Page 45
Appendix A : Valid System Values
Appendix AAppendix A: Valid System Values
The following iSeries system values are available since OS version V5R4 and can be used in the data source and monitor configuration to create custom monitors.
For an updated list of system values for future OS versions and detailed descriptions of each field, visit the IBM iSeries Information Center Web site:
http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/apis/qwcrsval.htm
System value Type Description
QABNORMSW CHAR(1) Previous end of system indicator
QACGLVL ARRAY(8) of CHAR(10)
Accounting level
QACTJOB BINARY(4) Active jobs
QADLACTJ BINARY(4) Additional active jobs
QADLSPLA BINARY(4) Additional storage
QADLTOTJ BINARY(4) Additional total jobs
QALWJOBITP CHAR(1) Allow jobs to be interrupted
QALWOBJRST ARRAY(15) of CHAR(10)
Allow object restore options
QALWUSRDMN ARRAY(50) of CHAR(10)
Allow user domain
QASTLVL CHAR(10) Assistance level
QATNPGM CHAR(20) Attention program
QAUDCTL ARRAY(5) of CHAR(10)
Auditing control
QAUDENDACN CHAR(10) Auditing end action
QAUDFRCLVL BINARY(4) Auditing force level
QAUDLVL ARRAY(16) of CHAR(10)
Auditing level
© 2013 Tango/04 Computing Group Page 46
Appendix A : Valid System Values
QAUTOCFG CHAR(1) Automatic configuration indicator
QAUTORMT CHAR(1) Automatic configuration for remote controllers
QAUTOSPRPT CHAR(1) Automatic system disabled reporting
QAUTOVRT BINARY(4) Automatic configuration for virtual devices
QBASACTLVL BINARY(4) Base activity level
QBASPOOL BINARY(4) Base pool minimum size
QBOOKPATH ARRAY(5) of CHAR(63)
Book and bookshelf search path
QCCSID BINARY(4) Coded character set identifier
QCENTURY CHAR(1) Century indicator
QCFGMSGQ CHAR(20) Configuration message queue
QCHRID CHAR(20) Character set and code page
QCHRIDCTL CHAR(10) Character identifier control
QCMNARB CHAR(10) Communication arbiters
QCMNRCYLMT CHAR(20) Communications recovery limit
QCNTRYID CHAR(2) Country identifier
QCONSOLE CHAR(10) Console name
QCRTAUT CHAR(10) Create authority
QCRTOBJAUD CHAR(10) Create object auditing
QCTLSBSD CHAR(20) Controlling subsystem
QCURSYM CHAR(1) Currency symbol
QDATE CHAR(7) System date
QDATFMT CHAR(3) Date format
QDATSEP CHAR(1) Date separator
QDAY CHAR(3) Day
QDAYOFWEEK CHAR(4) Day of the week
QDBRCVYWT CHAR(1) Database recovery wait
QDECFMT CHAR(1) Decimal format
QDEVNAMING CHAR(10) Device naming convention
QDEVRCYACN CHAR(20) Device recovery action
System value Type Description
© 2013 Tango/04 Computing Group Page 47
Appendix A : Valid System Values
QDSCJOBITV CHAR(10) Disconnect job interval
QDSPSGNINF CHAR(1) Sign-on information
QDYNPTYADJ CHAR(1) Dynamic priority adjustment
QDYNPTYSCD CHAR(1) Dynamic priority scheduler
QFRCCVNRST CHAR(1) Force conversion on restore
QHOUR CHAR(2) Hour
QHSTLOGSIZ BINARY(4) History log size
QIGC CHAR(1) DBCS installed
QIGCCDEFNT CHAR(20) Double-byte coded font name
QIGCFNTSIZ BINARY(4) Double-byte coded font point size
QINACTITV CHAR(10) Inactive job time-out
QINACTMSGQ CHAR(20) Inactive message queue
QIPLDATTIM CHAR(13) Automatic IPL date and time
QIPLSTS CHAR(1) IPL status
QIPLTYPE CHAR(1) IPL type
QJOBMSGQFL CHAR(10) Job message queue full
QJOBMSGQMX BINARY(4) Job message queue maximum size
QJOBMSGQSZ BINARY(4) Job message queue initial size
QJOBMSGQTL BINARY(4) Maximum job message queue initial size
QJOBSPLA BINARY(4) Initial spooling size
QKBDBUF CHAR(10) Keyboard buffer
QKBDTYPE CHAR(3) Keyboard type
QLANGID CHAR(3) Language identifier
QLEAPADJ BINARY(4) Leap year adjustment
QLIBLCKLVL CHAR(1) Library locking level
QLMTDEVSSN CHAR(1) Limit device session
QLMTSECOFR CHAR(1) Limit security officer
QLOCALE CHAR(2080) Locale path name
QLOGOUTPUT CHAR(10) Job log output
System value Type Description
© 2013 Tango/04 Computing Group Page 48
Appendix A : Valid System Values
QMAXACTLVL BINARY(4) Maximum activity level
QMAXJOB BINARY(4) Maximum number of jobs
QMAXSGNACN CHAR(1) Maximum sign-on action
QMAXSIGN CHAR(6) Maximum not valid sign-on
QMAXSPLF BINARY(4) Maximum spooled files per job
QMCHPOOL BINARY(4) Machine pool size
QMINUTE CHAR(2) Minute
QMLTTHDACN CHAR(1) Multithreaded job action
QMODEL CHAR(4) System model
QMONTH CHAR(2) Month
QPASTHRSVR CHAR(10) Pass-through servers
QPFRADJ CHAR(1) Performance adjustment
QPRBFTR CHAR(20) Problem filter
QPRBHLDITV BINARY(4) Problem hold interval
QPRCMLTTSK CHAR(1) Processor multitasking
QPRCFEAT CHAR(4) Processor feature code
QPRTDEV CHAR(10) Printer device
QPRTKEYFMT CHAR(10) Print key format
QPRTTXT CHAR(30) Print text
QPWDEXPITV CHAR(6) Days password valid
QPWDLMTAJC CHAR(1) Limit adjacent digits
QPWDLMTCHR CHAR(10) Limit characters
QPWDLMTREP CHAR(1) Limit repeat characters
QPWDLVL BINARY(4) Password level
QPWDMAXLEN BINARY(4) Maximum password length
QPWDMINLEN BINARY(4) Minimum password length
QPWDPOSDIF CHAR(1) Limit character positions
QPWDRQDDGT CHAR(1) Required password digits
QPWDRQDDIF CHAR(1) Duplicate password
QPWDVLDPGM CHAR(20) Password validation program
System value Type Description
© 2013 Tango/04 Computing Group Page 49
Appendix A : Valid System Values
QPWRDWNLMT BINARY(4) Power down limit
QPWRRSTIPL CHAR(1) Power restore IPL
QQRYDEGREE CHAR(10) Parallel processing degree
QQRYTIMLMT CHAR(10) Query processing time limit
QRCLSPLSTG CHAR(10) Reclaim spool storage
QRETSVRSEC CHAR(1) Retain server security data
QRMTIPL CHAR(1) Remote IPL
QRMTSRVATR CHAR(1) Remote service attribute
QRMTSIGN CHAR(20) Remote sign-on
QSCPFCONS CHAR(1) IPL action with console problem
QSECOND CHAR(2) Second
QSECURITY CHAR(2) Security level
QSETJOBATR ARRAY(16) of CHAR(10)
Set job attributes from locale
QSFWERRLOG CHAR(10) Software error log
QSHRMEMCTL CHAR(1) Shared memory control
QSPCENV CHAR(10) Special environment
QSRLNBR CHAR(8) Serial number
QSRTSEQ CHAR(20) Sort sequence table
QSRVDMP CHAR(10) Service dump
QSTGLOWACN CHAR(10) Auxiliary storage lower limit action
QSTGLOWLMT BINARY(4) Auxiliary storage lower limit
QSTRPRTWTR CHAR(1) Start printer writer
QSTRUPPGM CHAR(20) Startup program name
QSTSMSG CHAR(10) Status messages
QSVRAUTITV BINARY(4) Server authentication interval
QSYSLIBL ARRAY(15) of CHAR(10)
System library list
QTIME CHAR(9) System time
QTIMSEP CHAR(1) Time separator
QTOTJOB BINARY(4) Total jobs
System value Type Description
© 2013 Tango/04 Computing Group Page 50
Appendix A : Valid System Values
QTSEPOOL CHAR(10) Time-slice end pool
QUPSDLYTIM CHAR(20) UPS delay time
QUPSMSGQ CHAR(20) UPS message queue
QUSEADPAUT CHAR(10) Use adopted authority
QUSRLIBL ARRAY(25) of CHAR(10)
User library list
QUTCOFFSET CHAR(5) Coordinated universal time offset
QVFYOBJRST CHAR(1) Verify object on restore
QYEAR CHAR(2) Year
System value Type Description
© 2013 Tango/04 Computing Group Page 51
Appendix B : Valid Network Attributes
Appendix BAppendix B: Valid Network Attributes
The following iSeries network attributes available since OS version V5R4 and can be used in the data source and monitor configuration to create custom monitors.
For an updated list of system values for future OS versions and detailed descriptions of each field, visit the IBM iSeries Information Center Web site:
http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/apis/qwcrneta.htm
Network attribute Type Description
ALRBCKFP CHAR(16) Alert backup focal point
ALRCTLD CHAR(10) Alert controller
ALRDFTFP CHAR(10) Alert focal point
ALRFTR CHAR(20) Alert filter
ALRHLDCNT BINARY(4) Alert hold count
ALRLOGSTS CHAR(7) Alert logging status
ALRPRIFP CHAR(10) Alert primary focal point
ALRRQSFP CHAR(16) Alert focal point to request
ALRSTS CHAR(10) Alert status
ALWADDCLU CHAR(10) Allow add to cluster
ALWANYNET CHAR(10) Allow AnyNet support
ALWHPRTWR CHAR(10) Allow HPR tower support
ALWVRTAPPN CHAR(10) Allow virtual APPN support
VRTAUTODEV BINARY(4) Autocreate APPC device limit
DDMACC CHAR(20) DDM request access
DFTCNNLST CHAR(10) Default ISDN connection list
© 2013 Tango/04 Computing Group Page 52
Appendix B : Valid Network Attributes
DFTMODE CHAR(8) Default mode
DFTNETTYPE CHAR(10) ISDN network type
DTACPR BINARY(4) Data compression
DTACPRINM BINARY(4) Intermediate data compression
HPRPTHTMR CHAR(40) HPR path switch timers
JOBACN CHAR(10) Job action
LCLCPNAME CHAR(8) Local control point
LCLLOCNAME CHAR(8) Local location
LCLNETID CHAR(8) Local network ID
MAXINTSSN BINARY(4) Maximum sessions
MAXHOP BINARY(4) Maximum hop count
MDMCNTRYID CHAR(2) Modem country ID
MSGQ CHAR(20) Message queue
NETSERVER CHAR(85) Server network ID
NODETYPE CHAR(8) APPN node type
NWSDOMAIN CHAR(8) Network server domain
OUTQ CHAR(20) Output queue
PNDSYSNAME CHAR(8) Pending system name
PCSACC CHAR(20) Client Access
RAR BINARY(4) Addition resistance
SYSNAME CHAR(8) Current system name
Network attribute Type Description
© 2013 Tango/04 Computing Group Page 53
Appendix C : Python Functions
© 2013 Tango/04 Computing Group Page 54
Appendix CAppendix C: Python Functions
Among the several functions that Python provides, the following can be particularly useful for manipulating variables that return a list of variables inside a single string, that is to say, variables that contain multiple values:
Python Functions.find(sub[,start[,end]])�int/-1:offset of sub within start-end
s.rsplit([sep[,maxsplit]])�[string]:rightmost words delim. by sepa
s.split([sep[,maxsplit]])�[string]: words delimited by sep1
s.splitlines([keepends])�[string]:lines
a.Default chars/separator/fillchar is space
Appendix D : Contacting Tango/04
Appendix DAppendix D: Contacting Tango/04
North America
Tango/04 North AmericaPO BOX 3301NH 03458 Peterborough USA Phone: 1-800-304-6872 / 603-924-7391Fax: [email protected]
EMEA
Tango/04 Computing Group S.L.Avda. Meridiana 358, 5 A-B08027 Barcelona Spain Phone: +34 93 274 0051Fax: +34 93 345 [email protected]
Italy
Tango/04 ItalyViale Garibaldi 51/5313100 Vercelli Italy Phone: +39 0161 56922Fax: +39 0161 [email protected]
Sales Office in France
Tango/04 FranceLa Grande ArcheParoi Nord 15ème étage92044 Paris La Défense France Phone: +33 01 40 90 34 49Fax: +33 01 40 90 31 [email protected]
Sales Office in Switzerland
Tango/04 Switzerland18, Avenue Louis CasaïCH-1209 GenèveSwitzerland Phone: +41 (0)22 747 7866Fax: +41 (0)22 747 [email protected]
Latin American Headquarters
Barcelona/04 Computing Group SRL (Argentina)Avda. Federico Lacroze 2252, Piso 61426 Buenos Aires Capital FederalArgentina Phone: +54 11 4774-0112Fax: +54 11 [email protected]
© 2013 Tango/04 Computing Group Page 55
Sales Office in Peru
Barcelona/04 PERÚCentro Empresarial RealAv. Víctor A. Belaúnde 147, Vía Principal 140 Edificio Real Seis, Piso 6L 27 LimaPerú Phone: +51 1 211-2690Fax: +51 1 [email protected]
Sales Office in Chile
Barcelona/04 ChileNueva de Lyon 096 Oficina 702,ProvidenciaSantiagoChile Phone: +56 2 234-0898Fax: +56 2 [email protected]
© 2013 Tango/04 Computing Group Page 56
About Tango/04 Computing Group
Tango/04 Computing Group is one of the leading developers of systems management and automation software. Tango/04 software helps companies maintain the operating health of all their business processes, improve service levels, increase productivity, and reduce costs through intelligent management of their IT infrastructure.
Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM's Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over 35 authorized Business Partners around the world.
Alliances
Awards
Partnerships IBM Business Partner
IBM Autonomic Computing Business Partner
IBM PartnerWorld for Developers Advanced Membership
IBM ISV Advantage Agreement
IBM Early code release
IBM Direct Technical Liaison
Microsoft Developer Network
Microsoft Early Code Release
© 2013 Tango/04 Computing Group Page 57
Legal Notice
The information in this document was created using certain specific equipment and environments, and it is limited in
application to those specific hardware and software products and version and releases levels.
Any references in this document regarding Tango/04 Computing Group products, software or services do not mean
that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group
operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally
equivalent product that does not infringe any of Tango/04 Computing Group's intellectual property rights may be used
instead of the Tango/04 Computing Group product, software or service
Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this
document. The furnishing of this document does not give you any license to these patents.
The information contained in this document has not been submitted to any formal Tango/04 Computing Group test
and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer
responsibility, and depends on the customer's ability to evaluate and integrate them into the customer's operational
environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a
specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers
attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group
shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they
have been advised of the possibility of such damages. This document could contain technical inaccuracies or
typographical errors.
Any pointers in this publication to external web sites are provided for your convenience only and do not, in any
manner, serve as an endorsement of these web sites.
The following terms are trademarks of the International Business Machines Corporation in the United States and/or
other countries: iSeries, iSeriese, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS.
Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft
Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are
trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a
registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle
is a registered trade mark of Oracle Corporation.
Other company, product, and service names may be trademarks or service marks of other companies.
© 2013 Tango/04 Computing Group Page 58
Top Related