Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC - IBM AS400

This is a discussion on Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC - IBM AS400 ; Hi, when I looked into the joblog of an interactiive job I see "Error found on CMDQRY command. The system detected errors in the command" after that the QSYS/QSECCFGS or the cmd CFGSYSSEC was runned. It is possible that something ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC

  1. Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC

    Hi, when I looked into the joblog of an interactiive job I see "Error
    found on CMDQRY command. The system detected errors in the command"
    after that the QSYS/QSECCFGS or the cmd CFGSYSSEC was runned. It is
    possible that something inside the Query started this program ocr CMD?
    Is there anyone that share that not very funny experience?
    Thank's


  2. Re: Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC

    On Oct 31, 6:46 am, ake wrote:
    > Hi, when I looked into the joblog of an interactiive job I see "Error
    > found on CMDQRY command. The system detected errors in the command"
    > after that the QSYS/QSECCFGS or the cmd CFGSYSSEC was runned. It is
    > possible that something inside the Query started this program ocr CMD?
    > Is there anyone that share that not very funny experience?
    > Thank's


    I do not see where you can get to the command line from within working
    with a query or from wrkqry. There are quite a few way to get to the
    command line though like attention key programs etc.



  3. Re: Is it possible by mistake from an Query to start QSYS/QSECCFGSor run cmd CFGSYSSEC

    The error suggests a user performed a command request CMDQRY. Since
    there is no such command, the noted CPF0001 would transpire. There is
    however a GO command, and the request to GO CMDQRY would take a user to
    the "Query Commands" menu.
    User navigation through menus is not visible in a joblog. Also, the
    commands started from a UIM menu are not [typically?] logged; only any
    messaging resulting from the command execution. Thus a user navigating
    to a menu which provides the command CFGSYSSEC can select the option to
    perform that function from that menu, and the evidence of its being run
    may be in the joblog, auditing, and/or only its effects [if auditing is
    not established to record that activity]. An inference that the prior
    [failed] command has any relationship to the later execution of the
    Configure System Security feature is very likely amiss.
    There should be little reason for a user to have *ALLOBJ authority,
    which is probably the origin for the ability of a user to have run the
    CFGSYSSEC; and AFaIK the request also requires *IOSYSCFG and *SECADM
    which are similarly more powerful than necessary for almost all users.
    I have not looked into what CFGSYSSEC does, but presumably it sets up
    auditing, so DSPJRN QSYS/QAUDJRN to review the security actions that
    were performed from that job hopefully will reveal what might need to be
    reset.

    Regards, Chuck
    --
    All comments provided "as is" with no warranties of any kind
    whatsoever and may not represent positions, strategies, nor views of my
    employer

    ake wrote:
    > Hi, when I looked into the joblog of an interactive job I see "Error
    > found on CMDQRY command. The system detected errors in the command"
    > after that the QSYS/QSECCFGS or the cmd CFGSYSSEC was run. It is
    > possible that something inside the Query started this program ocr CMD?
    > Is there anyone that share that not very funny experience?


  4. Re: Is it possible by mistake from an Query to start QSYS/QSECCFGS or run cmd CFGSYSSEC

    On Oct 31, 11:46 pm, ake wrote:
    > Hi, when I looked into the joblog of an interactiive job I see "Error
    > found on CMDQRY command. The system detected errors in the command"
    > after that the QSYS/QSECCFGS or the cmd CFGSYSSEC was runned. It is
    > possible that something inside the Query started this program ocr CMD?
    > Is there anyone that share that not very funny experience?
    > Thank's


    If the user managed to get to a system menu (and it would appear they
    have command line access, so this is as simple as issuing a GO name> command), they will have the ability to get to the Main or Major
    menus using F16. The Major menu in particular has an option for
    security commands which in turn has an option for the CFGSYSSEC
    command. As has been pointed out, menu selections are not recorded in
    the joblog and even if a person is limited capability, they can run
    options from a system menu.

    The big issue here is why does this person have authority to run this
    command? The help on the command shows it requires *ALLOBJ, *SECADM
    and *AUDIT special authorities. Why does this person have all these
    authorities? It seems to me that you should be taking a good look at
    your systems security setup and looking at this individuals (and
    probably others) authority level rather than finding out how the
    command is run.

    *ALLOBJ - gives the user access to all objects on the system. A very
    powerful authority that should be highly restricted to as few people
    as possible. Highly unlikely that the person would require this.
    *SECADM - ability to manipulate user profiles and access certain
    security functions. Does this person need the ability to modify
    profiles, change security values etc? Again, this is probably
    unlikely.
    *AUDIT - Manipulate object auditing. Does this person really need
    this as yet again, it is very unlikely.

    Also, the persons user class will determine what options are displayed
    in a system menu, so you should look at that as well.


+ Reply to Thread