iseries agentless security user guide - helpsystems

iSeries Agentless SecurityUser Guide

1.6VMC-SEC

VISUAL Message Center iSeries Agentless Security User GuideThe software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Copyright Notice

Copyright © 2013 Tango/04 All rights reserved.

Document date: August 2010

Document version: 2.4

Product version: 1.6

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language or computer language, in any form or by any means, electronic mechani-cal, magnetic, optical, chemical, manual, or otherwise, without the prior written permission of Tango/04.

Trademarks

Any references to trademarked product names are owned by their respective companies.

Technical Support

For technical support visit our web site at www.tango04.com.

Tango/04 Computing Group S.L. Avda. Meridiana 358, 5 A-B Barcelona, 08027 Spain

Tel: +34 93 274 0051

http:\\www.tango04.com

http:\\www.tango04.com

Table of Contents

Table of Contents

Table of Contents .............................................................................. iii

How to Use this Guide .......................................................................vii

Chapter 1

Introduction ...................................................................................... 11.1. What You Will Find in this User Guide ........................................................... 1

Chapter 2

Architecture ....................................................................................... 3

Chapter 3

Requirements .................................................................................... 43.1. Services ......................................................................................................... 4

3.2. Communications ........................................................................................... 4

3.3. Object Permissions ........................................................................................ 4

Chapter 4

Common Configuration....................................................................... 64.1. Data Source Configuration............................................................................. 6

© 2013 Tango/04 Computing Group Page iii

Table of Contents

Chapter 5

iSeries Generic Command Agent .......................................................... 75.1. Data Source Configuration............................................................................. 7

5.1.1. General Settings Tab ............................................................................... 85.1.2. iSeries Settings Tab ................................................................................. 8

5.2. Default Health Script ...................................................................................... 9

5.3. ThinAgent-Specific Variables ......................................................................... 9

5.4. Field Map SmartConsole – ThinkServer ...................................................... 10

Chapter 6

iSeries Jobs ..................................................................................... 116.1. Common Configuration ................................................................................ 11

6.1.1. Data Source Configuration..................................................................... 116.1.2. Basic Connection Settings Tab .............................................................. 116.1.3. Advanced Connection Settings Tab....................................................... 126.1.4. Filters ..................................................................................................... 126.1.5. Graphication Settings – Interactive Transactions................................... 136.1.6. General Settings Tab ............................................................................. 146.1.7. Monitor Filters ........................................................................................ 14

6.2. Job ThinAgents Variables ............................................................................ 156.2.1. System General Variables ..................................................................... 156.2.2. Job-Specific Variables............................................................................ 17

6.3. Field Map: SmartConsole – ThinkServer ..................................................... 20

6.4. Interactive Job Inactivity............................................................................... 246.4.1. Default Health Configuration ................................................................. 246.4.2. Default Message Templates .................................................................. 246.4.3. ThinAgent Variables when Job Detail is *LOW ...................................... 25

Chapter 7

iSeries System Values & Network Attributes ThinAgent ........................ 267.1. Introduction .................................................................................................. 26

7.2. Data Source and Monitor Configuration....................................................... 267.2.1. Main Information .................................................................................... 277.2.2. General Connection Settings tab ........................................................... 277.2.3. Advanced Connection Settings tab ........................................................ 277.2.4. System Values and Network Attributes Tab........................................... 277.2.5. General Settings Tab ............................................................................. 28

7.3. ThinAgent-Specific Variables ....................................................................... 28

7.4. ThinAgents ................................................................................................... 28

7.5. Attention Program Monitor ........................................................................... 297.5.1. System Values and Network Attributes.................................................. 29

© 2013 Tango/04 Computing Group Page iv

Table of Contents

7.5.2. Default Health Configuration .................................................................. 297.5.3. Default Message Templates .................................................................. 29

7.6. Auditing Control Monitor............................................................................... 307.6.1. System Values and Network Attributes.................................................. 307.6.2. Default Health Configuration .................................................................. 317.6.3. Default Message Templates .................................................................. 31

7.7. Days Password Valid Monitor ...................................................................... 327.7.1. System Values and Network Attributes.................................................. 327.7.2. Default Health Configuration .................................................................. 327.7.3. Default Message Templates .................................................................. 33

7.8. Duplicate Password Monitor ........................................................................ 337.8.1. System Values and Network Attributes.................................................. 337.8.2. Default Health Configuration .................................................................. 347.8.3. Default Message Templates .................................................................. 34

7.9. Generic System Values and Network Attributes Monitor ............................. 357.9.1. Default Health Configuration .................................................................. 357.9.2. Default Message Templates .................................................................. 35

7.10. Inactive Interactive Job Monitor ................................................................. 367.10.1. System Values and Network Attributes................................................ 367.10.2. Default Health Configuration ................................................................ 367.10.3. Default Message Templates ................................................................ 37

7.11. Maximum Not Valid Sign-On Monitor......................................................... 377.11.1. System Values and Network Attributes................................................ 377.11.2. Default Health Configuration ................................................................ 387.11.3. Default Message Templates ................................................................ 38

7.12. Maximum Not Valid Sign-On Action Monitor.............................................. 387.12.1. System Values and Network Attributes................................................ 387.12.2. Default Health Configuration ................................................................ 397.12.3. Default Message Templates ................................................................ 39

7.13. Object Restore Security Monitor ................................................................ 407.13.1. System Values and Network Attributes................................................ 407.13.2. Default Health Configuration ................................................................ 417.13.3. Default Message Templates ................................................................ 41

7.14. Password Level Monitor............................................................................. 417.14.1. System Values and Network Attributes................................................ 427.14.2. Default Health Configuration ................................................................ 427.14.3. Default Message Templates ................................................................ 43

7.15. Security Level Monitor................................................................................ 437.15.1. System Values and Network Attributes................................................ 437.15.2. Default Health Configuration ............................................................... 447.15.3. Default Message Templates ................................................................ 44

© 2013 Tango/04 Computing Group Page v

Table of Contents

Appendices

Appendix A: Valid System Values ...................................................... 46

Appendix B: Valid Network Attributes................................................. 52

Appendix C: Python Functions ........................................................... 54

Appendix D: Contacting Tango/04 ..................................................... 55

About Tango/04 Computing Group .................................................... 57

Legal Notice .................................................................................... 58

© 2013 Tango/04 Computing Group Page vi

How to Use this Guide

© 2013 Tango/04 Computing Group Page vii

How to Use this Guide

This chapter explains how to use Tango/04 User Guides and understand the typographical conventions used in all Tango/04 documentation.

Typographical ConventionsThe following conventional terms, text formats, and symbols are used throughout Tango/04 printed documentation:

Convention Description

Boldface Commands, on-screen buttons and menu options.

Blue Italic References and links to other sections in the manual or further documentation containing relevant information.

Italic Text displayed on screen, or variables where the user must substitute their own details.

Monospace Input commands such as System i commands or code, or text that users must type in.

UPPERCASE Keyboard keys, such as CTRL for the Control key and F5 for the function key that is labeled F5.

Notes and useful additional information.

Tips and hints that will improve the users experience of working with this product.

Important additional information that the user is strongly advised to note.

Warning information. Failure to take note of this information could potentially lead to serious problems.

Introduction

Chapter 11 Introduction

This user guide provides guidance for the latest version of the VISUAL Message Center iSeries Agentless Security ThinAgents.

Our solution’s wide range of monitoring capabilities includes control and management of:

• iSeries Jobs

• System Values & Network Attributes

• iSeries Storage Management

We have also implemented a generic iSeries ThinAgent that can be used to run any OS/400 command and a number of specific ThinAgents that can monitor the size of a library or a group of libraries.

The iSeries Agentless ThinAgents are fully compatible with V5R1 and above.

Usually iSeries Agentless ThinAgents use shared data sources, allowing all monitors to perform their checks with a single data retrieval. To perform these system calls a user needs certain privileges to run each command. Be cautious when allocating privileges to avoid unnecessary security risks.

The iSeries Generic Command Agent and the iSeries Storage Management work using DataAdapter technology, while the iSeries Jobs and System Values & Network Attributes ThinAgents work using Java System i Server technology.

1.1 What You Will Find in this User GuideThis User Guide describes the purpose of each iSeries Agentless Security ThinAgent and any variables that are pre-configured for a particular iSeries Agentless Security ThinAgent. It also explains the minimum configuration settings required to run a particular iSeries Agentless Security monitor. For a full description of VISUAL Message Center ThinkServer functionality see the VISUAL Message Center ThinkServer User Guide.

The introduction chapter covers the basic purpose of the iSeries Agentless Security Agent and the common configuration of data sources and monitors.

The following chapters give a detailed description of the different ThinAgents, the default configuration and the variables important to each ThinAgent. You can use these variables to set Health conditions, configure actions, create templates, and send messages to the SmartConsole. There are also a number of generic variables available to all ThinAgents, which are described in the VISUAL Message Center ThinkServer User Guide.

© 2013 Tango/04 Computing Group Page 1

http://customers.tango04.com/content/341


Introduction

Furthermore you will find a field map for each iSeries Agentless Security ThinAgent describing the

values as they appear in the SmartConsole and ThinkServer.

Note This document requires a basic knowledge of iSeries systems.


Architecture


Chapter 22 Architecture

ThinkServer communicates with either DataAdapter (iSeries Generic Command Agent), or the Java System i Server (iSeries Jobs, and System Values & Network Attributes ThinAgents) using SOAP, in order to retrieve the required variables in the expected format.

The Java System i Server, for example, calls different iSeries APIs to acquire the value of every variable. Once all variables have been recollected, the Java System i Server processes the received data, chooses the appropriate variables and converts their values, as shown in Figure 1 below.

After that, the values are sent back to ThinkServer, which smoothly assigns the new information to the data source. Then the monitors attached to the data source run their health rules and generate an event if the state changes.

Figure 1 – Architecture for an iSeries Agent using the Java System i Server

Requirements

Chapter 33 Requirements

3.1 Services

For the required services to run the user QUSER must be enabled.

Services typically run on subsystems QSERVER and QSYSWRK, and should therefore also be enabled. The services by default run automatically and it is complicated to get them not to start after an IPL.

The following services are required:

• as-svrmap: Service Mapper is required as the ports of other services may change. Runs on port 449

• as-signon: Sign On Service is used to authenticate the user on the machine. Runs over port 8476

• as-rmtcmd: Remote Command is used for running remote commands. Runs on port 8475

These services may be started using STRHOSTSVR and stopped with the command ENDHOSTSVR.

3.2 Communications The protocol used is TCP/IP. We need a TCP/IP connection between the iSeries Host and the Java System i Server and another TCP/IP connection between Think Server and the Java System i Server.

3.3 Object PermissionsThe user that will connect to the iSeries must have at least *USE authority for the API program objects QGYOLJOB and QWCRSSTS. By default any user in the iSeries has these authorities. However if you want to check a user’s authorities, run the following command from a privileged user:

Note The following requirements specifically affect Java System i Server related ThinAgents (iSeries Jobs, and System Values & Network Attributes ThinAgents).

Note The most important service over which calls are launched is as-rmtcmd (Remote Command / Program Call Server) and should always be active. It runs on port 8475 and belongs to subsystem QSYSWRK. The name of the daemon is QZRCSRVSD and the name of the service is QZRCSRVS.


Requirements

EDTOBJAUT OBJ(*LIBL/QGYOLJOB) OBJTYPE(*PGM)

or

EDTOBJAUT OBJ(*LIBL/QWCRSSTS) OBJTYPE(*PGM)

If you need to add a new user, press F6. Then, enter the user we will use to connect and set the Object Authority to *USE.


Common Configuration


Chapter 44 Common Configuration

iSeries Agentless Operations ThinAgents either run using DataAdapter or on the Java System i Server which is usually installed in the same machine as ThinkServer.

4.1 Data Source ConfigurationWhen you first open an iSeries Health ThinAgent, you will be asked to configure the data source for the monitor. As the data source configuration differs slightly from one group of iSeries Agentless Operations ThinAgents to another, the default data source configuration is explained at the beginning of the chapters for each group of iSeries Agentless Operations ThinAgents. The settings can be changed to suit your needs.

iSeries Generic Command Agent

Chapter 55 iSeries Generic Command Agent

The iSeries Generic ThinAgent is the most flexible iSeries Agentless Operations ThinAgent. It uses any one of the many AS/400 commands that support OUTFILE output and can retrieve any iSeries data that is available from the OUTFILE output table.

When using this monitor, you must enter a series of SQL commands to create the output table, to retrieve data from the table and if necessary to delete auxiliary tables.

The related fields in the data source configuration are:

Table creation command: enter the SQL commands or OS/400 commands to create the output table. You can enter more than one statement separated by “&&&”.

Retrieval statement: enter the SQL command to retrieve the data generated by the commands configured above. Only one statement is allowed.

Post-retrieval statement: if necessary enter the commands needed to delete the auxiliary table/s. You can enter more than one statement separated by “&&&”. Note that some commands by default overwrite the data stored on the OUTFILE. Check your iSeries documentation or online help for details regarding each statement.

When configuring what commands to run, be aware that certain commands may take a long time to run. For example a complete scan of the objects in an extensive library.

5.1 Data Source ConfigurationWhen you open the iSeries Generic ThinAgent, you will first be asked to configure the data source for

the monitor. There are two tabs for the iSeries Generic ThinAgent: General settings and iSeries settings.

Note The settings can be changed to suit your needs. The default values are shown in the following tables.



5.1.1 General Settings Tab

Main Information

General settings

5.1.2 iSeries Settings TabHere you can configure the data source, the connection data required to make the connection, the number of rows to retrieve and the commands to execute.

The default configuration allows this ThinAgent to retrieve all the objects in the QGPL library. Data is stored on GRESULT file in QTEMP library, so that it does not need to be freed before disconnecting.

This configuration is only intended as an example.

Configuration Variables & Values Description

Name: iSeries Data Source

Name of the data source. Use the default provided or enter a new name for the data source.

Description: Enter a description of the data source

Host (informational only):

Add the name of the host you are monitoring to help quickly identify where problems occur.


Refresh time: 300 secondsThe data source will be refreshed every 300 seconds.

Number of tries: 2If we detect an error we determine that we will retry two times...

Interval between tries: 10 seconds ...And that we will retry after 10 seconds.

Error retry time: 60 seconds

In the case that errors exceed the num-ber specified in Number of Tries (in this case more than once), we will wait for 60 seconds before starting the Windows Processes check again.

Note When you change the command to run, the data retrieved will change and script should be also changed.


Database (ODBC DSN)

Name of the ODBC DSN configured on the localhost. You can run queries on remote databases, but the ODBC must be configured locally.

User User ID for connecting to the data-base (if required)



5.2 Default Health ScriptThis script generates a success Health state for each object in the library. The Health script can be easily changed to check whether there is an object with an extremely high size, whether an object exists at all, or any other check needed.

5.3 ThinAgent-Specific VariablesThis section describes the variables specific to this ThinAgent. For a description of the generic variables available in a ThinAgent see the VISUAL Message Center ThinkServer Configurator User Guide.

Variables regarding the ODBC DSN connection used to retrieve the data:

Password Password for connecting to the data-base (if required)

Maximum number of rows 50000

Maximum number of rows to retrieved by the query

Close connection each time x

The user can choose to leave the connection open so that all queries use the same connection, or to close the connection after running a query and reconnect to perform the next one. For queries that have long time intervals between executions it is bet-ter to choose reconnection mode. For frequently executed queries main-taining the same connection is a good option.

Table creation command

DSPOBJD OBJ(QGPL/*ALL) OBJ-TYPE(*ALL) OUTPUT(*OUT-FILE) OUT-FILE(QTEMP/GRESULT)

Commands and SQL queries to run to create the data this data source needs.

Retrieval statement SELECT * from QTEMP.GRESULT

SQL queries for retrieving the data we are interested in.

Post retrieval commands

SQL queries executed after the data has been retrieved to free the table used to temporarily store the data.


Variable Description

DBName ODBC database name

Host Host name or IP address (This field is for information purposes only, it does not affect the execution of the query)

Query Executed query to retrieve the data




The following table contains variables specific to this kind of monitor.

5.4 Field Map SmartConsole – ThinkServer

Variable Description

RecordFieldName01..20 Name of a field of executed query

RecordFieldValue01…20 Value of a field of executed query

RowNumber Number of current row

NumberOfRows Number of rows retrieved by the query

MaxNumberOfRows Maximum number of rows to be retrieved by the query (as defined by the user)

SmartConsole ThinkServer Description

Var01 VSMScriptID Name of the script

Var02 Host IP Address or DNS Name of the Host

Var03 DBName ODBC database name

Var04 Query Query executed to retrieve the data

Var05 RecordFieldName01 Name of a field of executed query

Var06 RecordFieldValue01 Value of a field in original type

Var07 RecordFieldName02 Name of a field of executed query

Var08 RecordFieldValue02 Value of a field in original type


iSeries Jobs

Chapter 66 iSeries Jobs

There are many iSeries system variables that report the job status of an iSeries host. Such variables include thread count, run priority, active job status, and pool information, among others.

iSeries Job ThinAgents monitor iSeries system variables and alert you whenever any of them indicates a possible risk to the integrity of your system.

Alerts can be for global events, providing a summary of all the jobs in the system, or specific events, with information regarding a specific job in the system.

6.1 Common ConfigurationiSeries Job ThinAgents run on the Java System i Server which is usually installed in the same machine as ThinkServer.

Most iSeries Job ThinAgents have the same default data source configuration.

6.1.1 Data Source ConfigurationWhen you first open an iSeries Job ThinAgent, you will be asked to configure the data source for the monitor. There are five tabs: Basic Connection Settings, Advanced Connection Settings, Filters, Graphication Settings and General Settings. The settings can be changed to suit your needs.

The Basic Connection Settings will always need to be configured to match the iSeries host that you want to monitor. The default values are shown in the following tables.

6.1.2 Basic Connection Settings Tab

Configuration Variables & Default Values Description

iSeries hostname: The host name or IP address of the iSeries host to which to connect.

iSeries username: The user name to use in order to log into the iSeries host.

iSeries password: The according password associated to the user name.


iSeries Jobs

6.1.3 Advanced Connection Settings Tab

6.1.4 Filters


Java System i Server Address: localhost

The host on which the Java System i Server is running. In a default installation, it should be localhost or 127.0.0.1.

Java System i Server Port: 8082

The port on which the Java System i Server is listening. In a default installa-tion, it should be port 8082.

Configuration Variables & Default Values Valid Values

Job Name: *ALL

A specific job name, a generic name, or one of the following special values:• *Only the job in which this program

is running. The user name and job number fields must be blank.

• *CURRENT: All jobs with the current job's name

• *ALL: All jobs. The user name and job type fields must be specified

User Name: *ALL

A specific user profile name, a generic name, or one of the following special val-ues:• *CURRENT: Jobs that use the

current job's user profile• *ALL: Jobs that use the specified

job name, regardless of the user name. The job name and job number fields must be specified

Job Type: *ALL

Possible values: • *ALL: All job types

• ASJ: Autostart job

• BCH: Batch job

• BCI: Batch immediate job

• EVK: Communications job - procedure start request job

• INT: Interactive job

• MRT: Batch - System/36 multiple requester terminal (MRT) job

• PJ: Prestart job

• PDJ &WRT: Writer job

• RDR: Reader job

• SBS: Subsystem job

• SYS: System job


iSeries Jobs

The Job Detail parameter allows you to configure how much information is retrieved for each job. This parameter has important implications from the performance point of view. Possible values are:

• *LOW (the default)

• *HIGH

If the value is set as *HIGH then more variables will be collected for each job. However if your filter is dealing with a high number of jobs, setting a *HIGH level of detail will decrease performance substantially. In the following sections we will detail the variables collected by each ThinAgent regarding

whether they are with *LOW or *HIGH detail.

6.1.5 Graphication Settings – Interactive Transactions

Graphication settings are used in coordination with VMC Dashboard Server to produce graphs based on job interactive transactions.

The number of interactive transactions each job performs and and its average response time in seconds is collected. This value is compared to the above table to determine which range it falls in, the lower the value, the better the system performance. This information is then used to produce graphs in DashboardServer.

The default values can be edited to suit user needs.

Current User Profile: *ALL

A specific user profile name or one of the following special values: • *ALL: Jobs that use the specified

job name, user name and job type, regardless of the user profile under which the initial thread of the job is currently running

Configuration Variables & Default Values Valid Values

Warning When configuring the data source, remember to always use filters to improve performance. By default all monitors in the data source configuration are set to *ALL; however in some systems this will slow down system performance, and maybe it is not necessary to control all jobs in the system.


Limit Of Range1 (average response time in seconds): 1






iSeries Jobs


6.1.7 Monitor FiltersBesides the Filters in Data Source configuration previously described in see section 6.1.4 - Filters on page 12, any monitor for all iSeries Job ThinAgents can have a specific filter. The list of configuration variables potentially available for these monitor filters are:


Timer: 90 secondsThe data source will be refreshed every 90 seconds.

Retries: 2If an error is detected, the operation is retried twice.

IntervalRetries: 30 secondsOnce an error is found, the operation is retried after 30 seconds.

ErrorRetryTime: 600 seconds

In the case that the number of errors exceeds the number specified in Number of Tries (in this case more than once), we will wait for 600 seconds before starting the check again.

Tip If users are experiencing problems with system performance, the timer value can be increased.

Configuration Variables Valid Values

Job Name A specific job name, a generic name, or *ALL special value

User Name A specific user name, a generic name, or *ALL special value

Current User Profile A specific user name, a generic name, or *ALL special value

Subsystem A specific subsystem name, a generic name, or *ALL special value

Subsystem Library A specific subsystem library name, a generic name, or *ALL special value

Job Type See valid values for Job Type variables in sec-tion 6.1.4 on page 13

Current Active Status Any of the valid values for "Status" column in a WRKACTJOB command screen

Minimum temporary storage used (MB) threshold A numeric value

Minimum processing unit used (%) Threshold A numeric value


iSeries Jobs

6.2 Job ThinAgents VariablesIf you specify *HIGH as the Job Detail in the Data Source Filters, then all iSeries Job ThinAgents retrieve a larger list of variables than would be available if you select a *LOW job detail. However if you have selected a *LOW job detail each Job ThinAgent retrieves its specific list of variables. In the next sections you will find the lists for each ThinAgent. These variables can be used in any monitor attached to the same data source. They are also used to create the system snapshot that is included in all message templates, so that you have all the relevant data at hand when you encounter a problem.

You will notice that not all the variables are shown when the monitor is first created. They are retrieved and become visible after the first successful execution of the monitor.

The variables retrieved for the iSeries Job ThinAgents can be system general variables, for all jobs in the system, or variables for specific jobs.

6.2.1 System General VariablesThe system general variables are:

Variable name Description

averageResponseTime Average Response Time (ms) Of The System

currentProcessingCapacity Current Processing Capacity Of The System

elapsedTime Measure Elapsed Time (s)

elapsedTimeInMilliseconds Measure Elapsed Time (ms)

Host iSeries IP address or hostname

interactionsAboveRange5

Number Of Jobs With More Interac-tions Than Specified In Range 5 During The Elapsed Time In The System

interactionsBelowRange1

Number Of Jobs With Less Interac-tions Than Specified In Range 1 During The Elapsed Time In The System


Number Of Jobs With Less Interac-tions Than Specified In Range 2 And More Interactions Than Specified In Range 1 During The Elapsed Time In The System






iSeries Jobs



maximumResponseTimeMaximum Response Time (ms) (The Job With The Highest Response Time) In The System

minimumResponseTimeMinimum Response Time (ms) (The Job With The Lowest Response Time) In The System

percentCPUUsed Total Percent Processing Unit Time (%) Used on the System

range1

The Value Of The Range 1 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 1 In The System)

range2

The Value Of The Range 2 Variable (It Is Used To Count The Number Of Jobs With Less Interactions Than Range 2 And More Than Range 1 In The System)

range3


range4


range5


systemDateAndTime Current Date And Time Of The Sys-tem (CYYMMDDHHMMSS format)

systemDateAndTimeDescriptive Current Date And Time Of The Sys-tem (Human-readable format)

systemDateAndTimeInMinutes Current Date And Time Of The Sys-tem (in minutes)

systemName System Name

totalActiveJobCount Total Number Of Active Jobs In The System

totalDatabaseLockWaits Total Number Of Database Lock Waits In The System

totalInteractiveJobCount Total Number Of Interactive Jobs In The System



iSeries Jobs

6.2.2 Job-Specific VariablesIf you specify a *LOW job detail in the data source, the variables for a specific job depend on every specific monitor. You can find the list of available variables in the corresponding section for each job monitor. If you have specified a *HIGH job detail in the Data Source, the variables for a specific job, are as follows:

totalInternalMachineLockWaits Total Number Of Internal Machine Lock Waits In The System

totalNondatabaseLockWaits Total Number Of Nondatabase Lock Waits In The System

totalThreadCount Total Number Of Threads In The System

totalTimeSpentOnDatabaseLockWaits Total Time Spent (ms) On Database Lock Waits In The System

totalTimeSpentOnInternalMachineLockWaits Total Time Spent (ms) On Internal Machine Lock Waits In The System

totalTimeSpentOnNondatabaseLockWaits Total Time Spent (ms) On Nondata-base Lock Waits In The System

VSMEventHasDataTRUE if the event has valid data, FALSE if there are no elements that match the filters



activeJobStatus Active Job Status

activeJobStatusForJobsEnding Active Job Status For Jobs Ending

currentJobStatus Current Job Status

currentSystemPoolIdentifier Current System Pool Identifier

currentUserProfile Current User Profile

dateAndTimeJobBecameActive Date And Time Job Became Active

dateAndTimeJobBecameActiveDescriptive Date And Time Job Became Active (Human-readable format)

dateAndTimeJobBecameActiveInMinutes Date And Time Job Became Active (in minutes)

dateAndTimeJobEnteredSystem Date And Time Job Entered System

dateAndTimeJobEnteredSystemDescriptive Date And Time Job Entered System (Human-readable format)

dateAndTimeJobEnteredSystemInMinutes Date And Time Job Entered System (in minutes)

dateAndTimeOfLastInteractionDate And Time Of Last Interaction (in minutes) (Zero for non-interactive jobs)

deviceName Device Name


iSeries Jobs

functionName Function Name

functionType Function Type

groupProfileName Group Profile Name

jobDate Job Date

jobDescriptionNameQualified Job Description Name – Qualified

jobInformationStatus Job Information Status

jobName Job Name

jobNumber Job Number

jobQueueNameQualified Job Queue Name – Qualified

jobSubtype Job Subtype

jobType Job Type

jobTypeEnhanced Job Type Enhanced

jobUserIdentity Job User Identity

library Subsystem Library

memoryPoolName Memory Pool Name

numberOfAuxiliaryIORequests Number Of Auxiliary I/O Requests

numberOfDatabaseLockWaits Number Of Database Lock Waits

numberOfDatabaseLockWaitsDuringTheInterval

Number Of Database Lock Waits During The Interval

numberOfInteractiveTransactions Number Of Interactive Transactions

numberOfInteractiveTransactionsDuringTheInterval

Number Of Interactive Transactions During The Interval

numberOfInternalMachineLockWaits Number Of Internal Machine Lock Waits

numberOfInternalMachineLockWaitsDuringTheInterval

Number Of Internal Machine Lock Waits During The Interval

numberOfNondatabaseLockWaits Number Of Nondatabase Lock Waits

numberOfNondatabaseLockWaitsDuringTheInterval

Number Of Nondatabase Lock Waits During The Interval

percentProcessingUnitTimeUsedDuringTheInterval

Processing Unit Time Used (%) Dur-ing The Interval

printerDeviceName Printer Device Name

processIDNumber Process ID Number



iSeries Jobs

processingUnitTimeUsedDuringTheInterval Processing Unit Time Used (ms) Dur-ing The Interval

responseTimeDuringTheInterval Response Time (ms) During The Interval

responseTimePerTransactionDuringTheInterval

Response Time (ms) Per Transaction During The Interval

responseTimePerTransactionDuringTheIntervalInSeconds

Response Time (s) Per Transaction During The Interval

responseTotalTime Response Total Time (ms)

responseTotalTimeInSeconds Response Total Time (s)

runPriority Run Priority

serverType Server Type

subsystem Subsystem

subsystemDescriptionNameQualified Subsystem Description Name – Qualified

systemPoolIdentifier System Pool Identifier

temporaryStorageUsedInMegabytes Temporary Storage Used (MB)

threadCount Thread Count

timeOnCurrentStatus Time (s) On Current Status

timeSlice Time Slice (ms)

timeSpentOnDatabaseLockWaits Time (ms) Spent On Database Lock Waits

timeSpentOnDatabaseLockWaitsDuringTheInterval

Time Spent (ms) On Database Lock Waits During The Interval

timeSpentOnInternalMachineLockWaits Time Spent (ms) On Internal Machine Lock Waits

timeSpentOnInternalMachineLockWaitsDuringTheInterval

Time Spent (ms) On Internal Machine Lock Waits During The Interval

timeSpentOnNondatabaseLockWaits Time Spent (ms) On Nondatabase Lock Waits

timeSpentOnNondatabaseLockWaitsDuringTheInterval

Time Spent (ms) On Nondatabase Lock Waits During The Interval

totalProcessingUnitTimeUsed Total Processing Unit Time Used (ms)

totalProcessingUnitTimeUsedForDatabase Total Processing Unit Time Used (ms) For Database

username User Name



iSeries Jobs

6.3 Field Map: SmartConsole – ThinkServerThese ThinAgents send one global message summarizing all the jobs health in the system and messages to the SmartConsole for each individual job.

The following tables show how the different variables are represented in the SmartConsole and the

ThinkServer, along with a description of the variables. You can change these settings to suit your needs.

The default field map of the global health message is set in Event Variables and contains the following variables:

Important If you have selected a *LOW job detail, the ThinAgents will retrieve only some of the variables listed below and therefore they will arrive to the SmartConsole without their values. All Job ThinAgents have been carefully designed and the most important variables for each ThinAgent are retrieved in *LOW job detail, which should meet your requirements.


Var1 VSMScriptID Name of the Script

Var2 systemName iSeries name

Var3 currentProcessingCapac-ity

Current Processing Capac-ity Of The System

Var4 totalActiveJobCountTotal Number Of Active Jobs In The System

Var5 totalThreadCountTotal Number Of Threads In The System

Var6 totalInteractiveJobCountTotal Number Of Interactive Jobs In The System

Var7 totalDatabaseLockWaitsTotal Number Of Database Lock Waits In The System

Var8 totalInternalMa-chineLockWaits

Total Number Of Internal Machine Lock Waits In The System

Var9 totalNondatabaseLock-Waits

Total Number Of Nondata-base Lock Waits In The System

Var10 totalTimeSpentOnDatabas-eLockWaits

Total Time Spent (ms) On Database Lock Waits In The System

Var11 totalTimeSpentOnInter-nalMachineLockWaits

Total Time Spent (ms) On Internal Machine Lock Waits In The System

Var12 totalTimeSpentOnNondata-baseLockWaits

Total Time Spent (ms) On Nondatabase Lock Waits In The System

Var13 minimumResponseTime

Minimum Response Time (ms) (The Job With The Lowest Response Time) In The System


iSeries Jobs

Var14 averageResponseTimeAverage Response Time (ms) Of The System

Var15 maximumResponseTime

Maximum Response Time (ms) (The Job With The Highest Response Time) In The System

Var16 range1

The Value Of The Range 1 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 1 In The System)

Var17 range2

The Value Of The Range 2 Variable (It Is Used To Count The Number Of Jobs With Less Interac-tions Than Range 2 And More Than Range 1 In The System)

Var18 range3


Var19 range4


Var20 range5


Var21 interactionsBelowRange1

Number Of Jobs With Less Interactions Than Specified In Range 1 During The Elapsed Time In The Sys-tem


Number Of Jobs With Less Interactions Than Specified In Range 2 And More Inter-actions Than Specified In Range 1 During The Elapsed Time In The Sys-tem



iSeries Jobs

The variables sent to the SmartConsole for the individual messages are set in Post Health-Check Actions and by default include the following variables:







Var26 interactionsAboveRange5

Number Of Jobs With More Interactions Than Specified In Range 5 During The Elapsed Time In The Sys-tem

Var27 elapsedTimeInMillisec-onds

Measure Elapsed Time (ms)

Var28 elapsedTime Measure Elapsed Time (s)

Var29 systemDateAndTimeDe-scriptive

Current Date And Time Of The System (Human-read-able format)

Var30 systemDateAndTimeCurrent Date And Time Of The System (CYYMMD-DHHMMSS format)

Var31 systemDateAndTimeIn-Minutes

Current Date And Time Of The System (in minutes)

Var32 percentCPUUsedTotal Percent Processing Unit Time (%) Used on the System



Var1 VSMScriptID Name of the Script

Var2 HostiSeries IP address or host-name

Var3 systemDateAndTimeCurrent Date And Time Of The System (CYYMMD-DHHMMSS format)


iSeries Jobs

Var4 systemDateAndTimeDe-scriptive

Current Date And Time Of The System (Human-read-able format)

Var5 systemDateAndTimeIn-Minutes

Current Date And Time Of The System (in minutes)

Var6 jobNumber Job Number

Var7 userName User Name

Var8 jobName Job Name

Var9 activeJobStatus Active Job Status

Var10 currentSystemPoolIdenti-fier

Current System Pool Identi-fier

Var11 currentUserProfile Current User Profile

Var12 dateAndTimeJobBecameAc-tiveInMinutes

Date And Time Job Became Active (in minutes)

Var13 dateAndTimeJobEntered-SystemInMinutes

Date And Time Job Entered System (in minutes)

Var14 deviceName Device Name

Var15 functionName Function Name

Var16 functionType Function Type

Var17 groupProfileName Group Profile Name

Var18 jobDescriptionNameQuali-fied

Job Description Name – Qualified

Var19 jobQueueNameQualifiedJob Queue Name – Quali-fied

Var20 jobSubType Job Subtype

Var21 jobType Job Type

Var22 jobTypeEnhanced Job Type Enhanced

Var23 jobUserIdentity Job User Identity

Var24 memoryPoolName Memory Pool Name

Var25 numberOfAuxiliaryIORe-quests

Number Of Auxiliary I/O Requests

Var26 numberOfDatabaseLock-WaitsDuringTheInterval

Number Of Database Lock Waits During The Interval

Var27 dateAndTimeOfLastInter-action

Date And Time Of Last Interaction (in minutes) (Zero for non-interactive jobs)

Var28numberOfInteractive-TransactionsDuringTheIn-terval

Number Of Interactive Transactions During The Interval



iSeries Jobs

6.4 Interactive Job InactivityThe iSeries Interactive Job Inactivity monitor checks the time of inactivity of the specified interactive job. The Filters tab allows you to select which jobs to monitor.

6.4.1 Default Health Configuration The iSeries Interactive Job Inactivity monitor comes preconfigured to set object health to

• Warning: if the job is interactive and there has been no input from the session for 60 or more minutes.

• Success: if the monitor is able to retrieve data from the iSeries.

We recommend you configure the monitor health to suit your specific requirements.

6.4.2 Default Message TemplatesThe iSeries Interactive Job Inactivity monitor includes the following default message information:

Var29numberOfInternalMa-chineLockWaitsDuringTh-eInterval

Number Of Internal Machine Lock Waits During The Interval

Var30 numberOfNondatabaseLock-WaitsDuringTheInterval

Number Of Nondatabase Lock Waits During The Interval

Var31 percentCPUUsedTotal Percent Processing Unit Time (%) Used on the System

Var32percentProcessingUnit-TimeUsedDuringTheInter-val

Processing Unit Time Used (%) During The Interval

Var33 processingUnitTimeUsed-DuringTheInterval

Processing Unit Time Used (ms) During The Interval

Var34 responseTimeDuringTheIn-terval

Response Time (ms) Dur-ing The Interval

Var35 responseTimePerTransac-tionDuringTheInterval

Response Time (ms) Per Transaction During The Interval

Var36 runPriority Run Priority

Var37 subsystemDescription-NameQualified

Subsystem Description Name – Qualified

Var38 temporaryStorageUsedIn-Megabytes

Temporary Storage Used (MB)

Var39 threadCount Thread Count

Var40 timeOnCurrentStatus Time (s) On Current Status



iSeries Jobs

Global event template

Specific event template

You can adjust the default templates to suit your monitoring needs.

6.4.3 ThinAgent Variables when Job Detail is *LOWBesides the System general variables that are always available (see section 6.2.1 - System General Variables on page 15), the job specific ThinAgent variables available when a *LOW job detail is specified

in the data source are listed here:

System: &systemName (&Host)

There is a total of &totalActiveJobCount active jobs, of which &totalInteractiveJobCount are interactive, and a total of &totalThreadCount threads.

This interactive job was inactive for &localTimeInactive minutes.

Current value: &localTimeInactive minutes.

Cause: a check has been executed to see if the value of this parameter is within range.

Recovery: No action required.

Host: &Host Subsystem: &subsystem Subsystem library: &library

Job: &jobNumber/&userName/&jobName

Current active status: &activeJobStatus\nCurrent user profile: &cur-rentUserProfile

Job entered the system on &dateAndTimeJobEnteredSystemDescriptive

Job became active on &dateAndTimeJobBecameActiveDescriptive

Variable Name

activeJobStatus

currentUserProfile

dateAndTimeJobBecameActiveDescriptive

dateAndTimeJobEnteredSystemDescriptive

dateAndTimeOfLastInteraction

jobName

jobNumber

jobType

jobTypeEnhanced

subsystemDescriptionNameQualified

userName


iSeries System Values & Network Attributes ThinAgent

Chapter 77 iSeries System Values & Network Attributes ThinAgent

7.1 IntroductionThe iSeries System Values and Network Attributes ThinAgent is a very versatile iSeries Agentless Security ThinAgent. It can monitor any combination of up to five iSeries system values and network attributes in any one monitor.

With the iSeries System Values and Network Attributes ThinAgent it is possible to create a huge range of monitors which can cover all your iSeries security tasks.

When creating monitors from this ThinAgent, you select which system values or network attributes you wish to monitor, when configuring the data source and monitor settings. There are over 150 valid values and attributes to choose from, which are listed in the appendix of this document.

7.2 Data Source and Monitor ConfigurationWhen you open the iSeries System Values and Network Attributes ThinAgent, you will first be asked to configure the data source for the monitor. The data source and monitor are configured in the same window, which contains main monitor information details and four tabs:

• General Connection Settings

• Advanced Connection Settings

• System Values and Network Attributes

• General Settings

Note The settings can be changed to suit your needs. The default values are shown in the following tables.



7.2.1 Main Information

7.2.2 General Connection Settings tab

7.2.3 Advanced Connection Settings tab

7.2.4 System Values and Network Attributes TabThe System Values and Network Attribute tabs is where you customise the monitor to enable it to monitor exactly what you want it to. You can enter a combination of up to five different system values or network attributes, adding one only to each of the fields available.

For a list of all valid iSeries system values and network attributes and their descriptions, see Appendix A-D.


Name:

iSeries System Values and Net-work Attributes Agent (#)

Name of the monitor. Use the default provided or enter a new name for the data source. Each new monitor, by default, will be assigned a sequential numerical value in parenthesis.

Description: Enter a description of the data source


iSeries hostname: The host name or IP address of the iSeries host to which to connect.

iSeries username: The user name to use in order to log into the iSeries host.

iSeries password: The according password associated to the user name.


Java System i Server Address: localhost

The host on which the Java System i Server is running. In a default installation, it should be localhost or 127.0.0.1.

Java System i Server Port: 8082

The port on which the Java System i Server is listening. In a default installa-tion, it should be port 8082.



Figure 2 – The System Values and Network Attributes tab in the DataSource & Monitor Configuration window. In this example we can see the iSeries Security Level Agent which uses the QSECURITY

system value by default.


7.3 ThinAgent-Specific VariablesThe iSeries System Values and Network Attributes ThinAgent has no default variables. Variables are added when you create the monitor. The variables used by each individual monitor depend on the system values or network attributes selected for monitoring in the Data Source and Monitor Configuration.

7.4 ThinAgentsThe iSeries System Values and Network Attributes ThinAgent comes with ten pre-configured monitors to make it easy to get started and also act as examples and provide a guideline to creating further custom monitors.

There is also a further generic monitor included which comes with no pre-configured system values and is ready for you to add your own configuration.


Timer: 60 The data source will be refreshed every 60 seconds.

Retries: 2If an error is detected, the operation is retried twice.

IntervalRetries: 15 Once an error is found, the operation is retried after 15 seconds.

ErrorRetryTime: 600

In the case that the number of errors exceeds the number specified in Number of Tries (in this case more than once), we will wait for 600 seconds before starting the check again.



Each of the iSeries System Values and Network Attributes monitors are explained in the following

sections.

7.5 Attention Program MonitorThe Attention Program monitor checks that the attention program defined by the QATNPGM (attention program) system value is set to the default one. Non-default programs could have security holes that could allow privilege escalation.

7.5.1 System Values and Network Attributes

QATNPGM is the attention program system value. The first 10 characters contain the program name and the last 10 characters contain the library name. The following special values are allowed:

• *ASSIST: The Operational Assistant main menu appears when the Attention key is pressed.

• *NONE: No attention program is called when the Attention key is pressed.

7.5.2 Default Health ConfigurationThe Attention Program monitor comes preconfigured to set object health to

• Warning: if the QATNPGM value is anything other than *NONE, *ASSIST or QEZMAIN QSYS.



7.5.3 Default Message TemplatesThe Attention Program monitor includes the following default message information:

The system value QATNPGM is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

Note Some system values and network attributes that return numbers are actually treated as strings, for example the Days Password Valid monitor is configured to produce a warning if the QPWDEXPITV value is greater than 000090.

Note All System Values and Network Attributes ThinAgents intrinsically recover the system hostname (SYSNAME network attribute).


System Value 1: QATNPGM Attention program



7.6 Auditing Control MonitorThe Auditing Control monitor checks that the auditing control defined by the QAUDCTL (auditing control) system value is set to be auditing critical parts of the system.


The QAUDCTL system value is the on/off switch for object- and user-level auditing. The values allowed are:

• *NONE: No auditing of objects and no auditing of user actions will be done on the system. In addition, no auditing that is controlled by the QAUDLVL system value will be done.

• *OBJAUD: Objects that have been selected by the Change Object Auditing (CHGOBJAUD) command will be audited.

• *AUDLVL: Changes controlled by the QAUDLVL system value and the AUDLVL parameter on the Change User Auditing (CHGUSRAUD) command will be audited.

QAUDLVL is the security auditing level. This system value specifies the level of security auditing that should occur on the system.

Critical / Warning / Minor:

The attention program is not set to an adequate value.

The attention program is shown when the user presses the attention key. Setting this value to other than *NONE or *ASSIST (QSYS/QEZMAIN) implies a security hazard because external applications could allow authority escalation to unauthorized users.

Current value: QATNPGM = &QATNPGM

Cause: a check has been executed to see if the value of this system value or network attribute is within range.

Recovery: Set QATNPGM to the recommended value (*NONE or *ASSIST) using the CHGSYSVAL command.

Host: &Host (&HOSTNAME)

Success:

The attention program is set to an adequate value.

The attention program is shown when the user presses the attention key.

Current value: QATNPGM = &QATNPGM





System Value 1: QAUDCTL Auditing control

System Value 2: QAUDLVL Auditing level

System Value 3: QAUDLVL2 Auditing level 2



The values allowed are:

• *AUTFAIL: Authorization failures are audited.

• *CREATE: The creation of objects is audited.

• *DELETE: All object deletions are audited.

• *JOBDTA: Actions by an audited user that affect a job will be audited.

• *NONE: No auditing occurs on the system.

• *OBJMGT: Function of generic objects is audited.

• *OFCSRV: Auditing of OfficeVision licensed program.

• *PGMADP: Program adoption.

• *PGMFAIL: Integrity violations (for example, blocked instruction, validation value failure, and domain violation) are audited.

• *PRTDTA: Printing of spool files or direct printing.

• *SAVRST: Save and restore information is audited.

• *SECURITY: All security-related functions are audited.

• *SERVICE: Use of the system service tools by a user will be audited.

• *SPLFDTA: Spool file auditing.

• *SYSMGT: Use of system management functions by an audited user will be audited.

7.6.2 Default Health ConfigurationThe Auditing Control monitor comes preconfigured to set object health to

• Warning: if the QAUDCTL value is equal to “*NONE”.

• Minor: if the QAUDCTL.find('*OBJAUD')value is equal to -1 or the QAUDCTL.find('*AUDLVL') value is equal to -1.



7.6.3 Default Message TemplatesThe Auditing Control monitor includes the following default message information:

The system values QAUDCTL and QAUDLVL are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.



7.7 Days Password Valid MonitorThe Days Password Valid monitor checks that the days a password, defined by the QPWDEXPITV (days password valid) system value, is valid and is low enough to warrant proper password changing, that prevents the use of the same password indefinitely.


QPWDEXPITV is the system value for the password expiration interval. It controls the number of days that passwords are valid by keeping track of the number of days since you changed your password or created a user profile. The possible values are:

• *NOMAX: A password can be used an unlimited number of days.

• 1-366: The number of days before the password cannot be used.

7.7.2 Default Health ConfigurationThe Days Password Valid monitor comes preconfigured to set object health to

• Warning: if the QPWDEXPITV value is equal to "*NOMAX" or the QPWDEXPITV value is greater than 000090.




The auditing control is not configured properly.

This system value is the on/off switch for object-level and user-level auditing. Neither *OBJAUD nor *AUDLVL are set. Not auditing the system will prevent tracking dangerous changes made by users.

Current value: QAUDCTL = &QAUDCTL


Recovery: Set QAUDCTL to the recommended value (*OBJAUD and *AUDLVL) using the CHGSYSVAL command.


Success:

The auditing control is configured properly.

This system value is the on/off switch for object-level and user-level auditing.

Current value: QAUDCTL = &QAUDCTL





System Value 1: QPWDEXPITV Days password valid



7.7.3 Default Message TemplatesThe Job Duration Monitor includes the following default message information:

The system value QPWDEXPITV is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.8 Duplicate Password MonitorThe Duplicate Password monitor checks that passwords, defined by the QPWDRQDDIF (duplicate password) system value, are not reused when being changed, in order to prevent the same set of passwords indefinitely.


QPWDRQDDIF controls duplicate passwords. The possible values are:

• 0: A password can be the same as any previously used password (except the immediately preceding password).


The days password valid system value is not set to an adequate value.

The days password valid system value controls the number of days that passwords are valid. Setting this value to *NOMAX or too many days implies a security hazard because a brute force attack could be per-formed during this time and allow password disclosure. Notice that this system value might not be applied to all user profiles because it can be specified for each user profile independently.

Current value: QPWDEXPITV = &QPWDEXPITV


Recovery: Set QPWDEXPITV to the recommended value (90 or less) using the CHGSYSVAL command.


Success:

The days password valid system value is set to an adequate value.

The days password valid system value controls the number of days that passwords are valid. Setting this value to *NOMAX or too many days implies a security hazard because a brute force attack could be per-formed during this time and allow password disclosure. Notice that this system value might not be applied to all user profiles because it can be specified for each user profile independently.

Current value: QPWDEXPITV = &QPWDEXPITV





System Value 1: QPWDRQDDIF Duplicate password



• 1: A password must be different from the previous 32 passwords.








7.8.2 Default Health ConfigurationThe Duplicate Password monitor comes preconfigured to set object health to

• Warning: if the QPWDRQDDIF value is equal to "0" or greater than "5"



7.8.3 Default Message TemplatesThe Duplicate Password monitor includes the following default message information:

Critical:

The duplicate password system value is not correct.

This system value controls how many different passwords have to be used before being able to re-use an older one. Using always the same set of passwords is a security hazard which could allow password dis-closure through a brute force attack.

Current value: QPWDRQDDIF = &QPWDRQDDIF


Recovery: Set QPWDRQDDIF to the recommended value (1, 2, 3, 4 or 5) using the CHGSYSVAL command.




The system value QPWDRQDDIF is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.9 Generic System Values and Network Attributes MonitorThe Generic iSeries System Values and Network Attributes monitor does not come pre-configured with

any system values or network attributes and is simply ready for you to add your own configuration.

No system values or network attributes were configured. Please, configure at least one variable.

7.9.1 Default Health ConfigurationThe Generic iSeries System Values and Network Attributes monitor comes preconfigured to set object health to:



7.9.2 Default Message TemplatesThe Generic iSeries System Values and Network Attributes monitor includes the following default message information:

Warning / Minor:

The duplicate password system value is not correct.




Recovery: Set QINACTITV to the recommended value (1, 2, 3, 4 or 5) using the CHGSYSVAL command.


Success:

The duplicate password system value is correct.






Note This monitor will return an error message in VISUAL Message Center Configurator while it runs without any values configured to monitor:



There are no system values included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.10 Inactive Interactive Job MonitorThe Inactive Interactive Job monitor checks that the inactive interactive job time-out defined by the QINACTITV (inactive job time-out) system value is low enough to prevent on-site user session stealing.


QINACTITV specifies the inactive job time-out interval in minutes. It specifies when the system takes action on inactive interactive jobs. QINACTITV must be one of the following values:

• *NONE: The system does not check for inactive interactive jobs.

• 5-300: The number of minutes a job can be inactive before action is taken.

QDSCJOBITV indicates the length of time, in minutes; an interactive job can be disconnected before it is ended. The values for QDSCJOBITV are:

• 5-1440: The range of the disconnect interval.

• *NONE. There is no disconnect interval.

7.10.2 Default Health ConfigurationThe Inactive Interactive Job Monitor comes preconfigured to set object health to

• Warning: if the QINACTITV value is greater than 0000000015 or is equal to "*NONE" or the QDSCJOBITV value is greater than 0000000060 or is equal to "*NONE".




Some retrieved system values or network attributes do not have proper values.

Current value: NONE



Success:

All retrieved system values and network attributes have proper values.

Current value: NONE




System Value 1: QINACTITV Inactive job time-out

System Value 2: QDSCJOBITV Disconnect job interval



7.10.3 Default Message TemplatesThe Inactive Interactive Job Monitor includes the following default message information:

The system values QINACTITV and QDSCJOBITV are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.11 Maximum Not Valid Sign-On MonitorThe Maximum Not Valid Sign-On monitor checks that the maximum not valid sign-on attempts, defined by the QMAXSIGN (maximum not valid sign-on) system value, is low enough to warrant that no forcible attacks can be made, which could lead to password disclosure.


QMAXSIGN specifies the maximum number of incorrect sign-on attempts allowed. The possible values are:

• 1-25. The maximum number of sign-on attempts allowed.

• *NOMAX: There is no maximum number of sign-on attempts.


The inactive job configuration is not correct.

This system value specifies the inactive job time-out interval in min-utes. After the time-out interval the system takes action on inactive interactive jobs. A high time-out interval means that the interactive session will remain open for a long time. If the user that opened the session is missing, another user could take over the session and use it illicitly.

Current value: QINACTITV = &QINACTITV QDSCJOBITV = &QDSCJOBITV


Recovery: Set QINACTITV to the recommended value (60 or below) using the CHGSYSVAL command. Set QDSCJOBITV to the recommended value (60 or below) using the CHGSYSVAL command.


Success:

The inactive job configuration is correct.

This system value specifies the inactive job time-out interval in min-utes. After the time-out interval the system takes action on inactive interactive jobs.

Current value: QINACTITV = &QINACTITV QDSCJOBITV = &QDSCJOBITV





System Value 1: QMAXSIGN Maximum not valid sign-on



7.11.2 Default Health ConfigurationThe Maximum Not Valid Sign-On comes preconfigured to set object health to

• Warning: if the QMAXSIGN value is equal to '*NOMAX' or is more than 000003.



7.11.3 Default Message TemplatesThe Maximum Not Valid Sign-On includes the following default message information:

The system value QMAXSIGN is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.12 Maximum Not Valid Sign-On Action MonitorThe Maximum Not Valid Sign-On Action monitor checks that the maximum not valid sign-on action, defined by the QMAXSGNACN (maximum sign-on action) system value, is set to at least disable the user account in order to prevent forcible attacks, which could lead to password disclosure.



The maximum not valid sign-on system value is not configured properly.

The maximum not valid sign-on system value specified the maximum num-ber of incorrect sign-on attempts allowed before the system takes action. Allowing an infinite number of sign-on attempts allows brute force attacks which could lead to password disclosure.

Current value: QMAXSIGN = &QMAXSIGN


Recovery: Set QMAXSIGN to the recommended value (1-25) using the CHG-SYSVAL command.


Success:

The maximum not valid sign-on system value is configured properly.

The maximum not valid sign-on system value specified the maximum num-ber of incorrect sign-on attempts allowed before the system takes action.

Current value: QMAXSIGN = &QMAXSIGN





System Value 1: QMAXSGNACN Maximum sign-on action



QMAXSGNACN specifies the maximum sign-on attempts action or how the system reacts when the maximum number of consecutive incorrect sign-on attempts (the system value QMAXSIGN) is reached. The possible values are:

• 1: Varies off the device if limit is reached.

• 2. Disables the user profile if limit is reached.

• 3: Varies off the device and disables the user profile if the limit is reached.

7.12.2 Default Health ConfigurationThe Maximum Not Valid Sign-On Action comes preconfigured to set object health to

• Warning: if the QMAXSGNACN value is less than 2.



7.12.3 Default Message TemplatesThe Maximum Not Valid Sign-On Action includes the following default message information:


The maximum not valid sign-on action system value is not configured properly.

The maximum not valid sign-on action system value specifies the action to take when maximum number of incorrect sign-on attempts is reached. Disabling the device when remote connections are allowed does not improve the security of the system because devices are assigned every time a connection is created. Disabling only the device allows brute force attacks which could lead to password disclosure.

Current value: QMAXSGNACN = &QMAXSGNACN


Recovery: Set QMAXSGNACN to the recommended value (2-3) using the CHG-SYSVAL command.


Success:

The maximum not valid sign-on action system value is configured prop-erly.

The maximum not valid sign-on action system value specifies the action to take when maximum number of incorrect sign-on attempts is reached. Disabling the device when remote connections are allowed does not improve the security of the system because devices are assigned every time a connection is created. Disabling only the device allows brute force attacks which could lead to password disclosure.

Current value: QMAXSGNACN = &QMAXSGNACN






The system value QMAXSGNACN is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.13 Object Restore Security MonitorThe Object Restore Security monitor checks that the object restore security, defined by the QVFYOBJRST (verify object on restore) system value, is high enough to protect the system from undesired object restorations.


QVFYOBJRST is the system value for verify object on restore. This value is used to specify the policy to be used for object signature verification during a restore operation. The possible values are:

• 1: Do not verify signatures on restore. Restore all objects regardless of their signature.

• 2: Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. Restore inherit-state and system-state objects only if they have valid signatures.

• 3: Verify signatures on restore. Restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. Restore inherit-state and system-state objects only if they have valid signatures.

• 4: Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects, even if the signatures are not valid. Restore inherit-state and system-state objects only if they have valid signatures.

• 5: Verify signatures on restore. Do not restore unsigned user-state objects. Restore signed user-state objects only if the signatures are valid. Restore inherit-state and system-state objects only if they have valid signatures.

QALWOBJRST specifies a list of security options that are used when restoring objects to the system:

• *ALL: All objects regardless of any security sensitive attributes or validation errors will be restored.

• *NONE: No objects with security sensitive attributes will be restored.

• *ALWSYSSTT: Allow restore of system state objects.

• *ALWPGMADP: Allow restore of objects that adopt authority.

• *ALWPTF: Allow system state objects, objects that adopt authority, objects that have the S_ISUID(set-user-ID) attribute enabled, and objects that have the S-ISGID(set-group-ID) attribute enabled to be restored to the system during PTF install.

• *ALWSETUID: Allows files that have the S_ISUID (set-user-ID) attribute enabled to be restored.


System Value 1: QVFYOBJRST Verify object on restore

System Value 2: QALWOBJRST Allow object restore options



• *ALWSETGID: Allows files that have the S_ISGID (set-group-ID) attribute enabled to be restored.

• *ALWVLDERR: Allow objects with validation errors to be restored.

7.13.2 Default Health ConfigurationThe Object Restore Security comes preconfigured to set object health to

• Warning: if the QVFYOBJRST value is less than 2

• Minor: if the QVFYOBJRST value is less than 5 or is not '*NONE'



7.13.3 Default Message TemplatesThe Object Restore Security includes the following default message information:

The system values QVFYOBJRST and QALWOBJRST are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.14 Password Level MonitorThe Password Level monitor checks that the password level, defined by the QPWDLVL (password level) system value, is high enough to warrant good passwords, and also that the minimum password length,


The object restore security does not have proper values.

These system values are used to specify the policy to be used for object signature verfication during a restore operation and a list of security options that are used when restoring objects to the system. The current values either do not check for security sensitive attri-butes and validation errors or do not verify signatures on restore properly.

Current value: QVFYOBJRST = &QVFYOBJRST QALWOBJRST = &QALWOBJRST


Recovery: Set QVFYOBJRST to the recommended value (5) using the CHG-SYSVAL command. Set QALWOBJRST to the recommended value (*NONE) using the CHGSYSVAL command.


Success:

The object restore security has proper values.

These system values are used to specify the policy to be used for object signature verfication during a restore operation and a list of security options that are used when restoring objects to the system.

Current value: QVFYOBJRST = &QVFYOBJRST QALWOBJRST = &QALWOBJRST






defined by the QPWDMINLEN (minimum password length) system value, is high enough to warrant long passwords for increased security.


QPWDLVL specifies the level of password support on the system. The possible values are:

• 0: User profile passwords with a length of 1-10 characters are supported.

• 1: User profile passwords with a length of 1-10 characters are supported. AS/400 NetServer passwords for Windows 95/98/ME clients will be removed from the system.

• 2: User profile passwords with a length of 1-128 characters are supported.

• 3: User profile passwords with a length of 1-128 characters are supported. AS/400 NetServer

passwords for Windows 95/98/ME clients will be removed from the system.

QPWDMINLEN specifies the minimum length of a password. It controls the minimum number of characters in a password. The possible values are:

• 1-128: The minimum number of characters that can be specified for a password.

If the system is operating at QPWDLVL (password level) 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128.

QPWDMAXLEN specifies the maximum length of a password. It controls the maximum number of characters in a password. The possible values are:

• 1-128: The maximum number of characters that can be specified for a password.

If the system is operating at QPWDLVL (password level) 0 or 1, the valid range is 1-10. If the system is operating at QPWDLVL 2 or 3, the valid range is 1-128.

7.14.2 Default Health ConfigurationThe Password Level Monitor comes preconfigured to set object health to

• Warning: if the QPWDLVL value is less than 2.

• Minor: if the QPWDMINLEN value is less than 6.




System Value 1: QPWDLVL Password level

System Value 2: QPWDMINLEN Minimum password length

System Value 3: QPWDMAXLEN Maximum password length

Note If this system value has been changed since the last IPL, this value is not the password level the system is currently using. This value will be in effect after the next IPL.



7.14.3 Default Message TemplatesThe Password Level Monitor includes the following default message information:

The system values QPWDLVL and QPWDMINLEN are included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.

7.15 Security Level MonitorThe Security Level monitor checks that the security level, defined by the QSECURITY system value, is high enough to warrant appropriate system security.


QSECURITY is the system security level indicator. The possible values are:

• 10: The system does not require a password to sign-on. The user has access to all system resources.

• 20: The system requires a password to sign-on. The user has access to all system resources.

• 30: The system requires a password to sign-on, and users must have authority to access objects and system resources.


The password level does not have proper values.

These system values specify the length of password supported and the minimum password length. A low length of password or minimum password length will prevent enforcing users to use large passwords. Short passwords are a security hazard because they are vulnerable to brute force attacks which could lead to password disclosure.

Current value: QPWDLVL = &QPWDLVL QPWDMINLEN = &QPWDMINLEN


Recovery: Set QPWDLVL to the recommended value (2 or above) using the CHGSYSVAL command. Set QPWDMINLEN to the recommended value (6 or above) using the CHGSYSVAL command.


Success:

The password level has proper values.

These system values specify the length of password supported and the minimum password length.

Current value: QPWDLVL = &QPWDLVL QPWDMINLEN = &QPWDMINLEN





System Value 1: QSECURITY Security level



• 40: The system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail.

• 50: The system requires a password to sign-on, and users must have authority to access objects and system resources. Security and integrity of the QTEMP library and user domain (*USRxxx) objects are enforced. (Use system value QALWUSRDMN to change which libraries allow *USRxxx objects.) Programs fail if they try to pass unsupported parameter values to

supported interfaces or if they try to access objects through interfaces that are not supported.

7.15.2 Default Health Configuration The Security Level monitor comes preconfigured to set object health to

• Warning: if the QSECURITY value is less than 40.



7.15.3 Default Message TemplatesThe Security Level monitor includes the following message information:

Note If this system value has been changed since the last IPL, this value is not the security level the system is currently using. This value will be in effect after the next IPL.


The security level does not have proper values.

This system value is the system security indicator. From level 40 the system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail. The cur-rent security level is below 40 which means a security risk to the system because there could be no required password to sign-on, the users could have access to all system resources or programs that use unsupported interfaces would not fail.

Current value: QSECURITY = &QSECURITY


Recovery: Set QSECURITY to the recommended value (40 or above) using the CHGSYSVAL command.


Success:

The security level has proper values.

This system value is the system security indicator. From level 40 the system requires a password to sign-on, and users must have authority to access objects and system resources. Programs that try to access objects through interfaces that are not supported will fail.

Current value: QSECURITY = &QSECURITY



Host: &Host



The system value QSECURITY is included in the template. You must adjust the default templates to include other system values to suit your monitoring needs.


Appendix A : Valid System Values

Appendix AAppendix A: Valid System Values

The following iSeries system values are available since OS version V5R4 and can be used in the data source and monitor configuration to create custom monitors.

For an updated list of system values for future OS versions and detailed descriptions of each field, visit the IBM iSeries Information Center Web site:

http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/apis/qwcrsval.htm

System value Type Description

QABNORMSW CHAR(1) Previous end of system indicator

QACGLVL ARRAY(8) of CHAR(10)

Accounting level

QACTJOB BINARY(4) Active jobs

QADLACTJ BINARY(4) Additional active jobs

QADLSPLA BINARY(4) Additional storage

QADLTOTJ BINARY(4) Additional total jobs

QALWJOBITP CHAR(1) Allow jobs to be interrupted

QALWOBJRST ARRAY(15) of CHAR(10)

Allow object restore options

QALWUSRDMN ARRAY(50) of CHAR(10)

Allow user domain

QASTLVL CHAR(10) Assistance level

QATNPGM CHAR(20) Attention program

QAUDCTL ARRAY(5) of CHAR(10)

Auditing control

QAUDENDACN CHAR(10) Auditing end action

QAUDFRCLVL BINARY(4) Auditing force level

QAUDLVL ARRAY(16) of CHAR(10)

Auditing level



QAUTOCFG CHAR(1) Automatic configuration indicator

QAUTORMT CHAR(1) Automatic configuration for remote controllers

QAUTOSPRPT CHAR(1) Automatic system disabled reporting

QAUTOVRT BINARY(4) Automatic configuration for virtual devices

QBASACTLVL BINARY(4) Base activity level

QBASPOOL BINARY(4) Base pool minimum size

QBOOKPATH ARRAY(5) of CHAR(63)

Book and bookshelf search path

QCCSID BINARY(4) Coded character set identifier

QCENTURY CHAR(1) Century indicator

QCFGMSGQ CHAR(20) Configuration message queue

QCHRID CHAR(20) Character set and code page

QCHRIDCTL CHAR(10) Character identifier control

QCMNARB CHAR(10) Communication arbiters

QCMNRCYLMT CHAR(20) Communications recovery limit

QCNTRYID CHAR(2) Country identifier

QCONSOLE CHAR(10) Console name

QCRTAUT CHAR(10) Create authority

QCRTOBJAUD CHAR(10) Create object auditing

QCTLSBSD CHAR(20) Controlling subsystem

QCURSYM CHAR(1) Currency symbol

QDATE CHAR(7) System date

QDATFMT CHAR(3) Date format

QDATSEP CHAR(1) Date separator

QDAY CHAR(3) Day

QDAYOFWEEK CHAR(4) Day of the week

QDBRCVYWT CHAR(1) Database recovery wait

QDECFMT CHAR(1) Decimal format

QDEVNAMING CHAR(10) Device naming convention

QDEVRCYACN CHAR(20) Device recovery action




QDSCJOBITV CHAR(10) Disconnect job interval

QDSPSGNINF CHAR(1) Sign-on information

QDYNPTYADJ CHAR(1) Dynamic priority adjustment

QDYNPTYSCD CHAR(1) Dynamic priority scheduler

QFRCCVNRST CHAR(1) Force conversion on restore

QHOUR CHAR(2) Hour

QHSTLOGSIZ BINARY(4) History log size

QIGC CHAR(1) DBCS installed

QIGCCDEFNT CHAR(20) Double-byte coded font name

QIGCFNTSIZ BINARY(4) Double-byte coded font point size

QINACTITV CHAR(10) Inactive job time-out

QINACTMSGQ CHAR(20) Inactive message queue

QIPLDATTIM CHAR(13) Automatic IPL date and time

QIPLSTS CHAR(1) IPL status

QIPLTYPE CHAR(1) IPL type

QJOBMSGQFL CHAR(10) Job message queue full

QJOBMSGQMX BINARY(4) Job message queue maximum size

QJOBMSGQSZ BINARY(4) Job message queue initial size

QJOBMSGQTL BINARY(4) Maximum job message queue initial size

QJOBSPLA BINARY(4) Initial spooling size

QKBDBUF CHAR(10) Keyboard buffer

QKBDTYPE CHAR(3) Keyboard type

QLANGID CHAR(3) Language identifier

QLEAPADJ BINARY(4) Leap year adjustment

QLIBLCKLVL CHAR(1) Library locking level

QLMTDEVSSN CHAR(1) Limit device session

QLMTSECOFR CHAR(1) Limit security officer

QLOCALE CHAR(2080) Locale path name

QLOGOUTPUT CHAR(10) Job log output




QMAXACTLVL BINARY(4) Maximum activity level

QMAXJOB BINARY(4) Maximum number of jobs

QMAXSGNACN CHAR(1) Maximum sign-on action

QMAXSIGN CHAR(6) Maximum not valid sign-on

QMAXSPLF BINARY(4) Maximum spooled files per job

QMCHPOOL BINARY(4) Machine pool size

QMINUTE CHAR(2) Minute

QMLTTHDACN CHAR(1) Multithreaded job action

QMODEL CHAR(4) System model

QMONTH CHAR(2) Month

QPASTHRSVR CHAR(10) Pass-through servers

QPFRADJ CHAR(1) Performance adjustment

QPRBFTR CHAR(20) Problem filter

QPRBHLDITV BINARY(4) Problem hold interval

QPRCMLTTSK CHAR(1) Processor multitasking

QPRCFEAT CHAR(4) Processor feature code

QPRTDEV CHAR(10) Printer device

QPRTKEYFMT CHAR(10) Print key format

QPRTTXT CHAR(30) Print text

QPWDEXPITV CHAR(6) Days password valid

QPWDLMTAJC CHAR(1) Limit adjacent digits

QPWDLMTCHR CHAR(10) Limit characters

QPWDLMTREP CHAR(1) Limit repeat characters

QPWDLVL BINARY(4) Password level

QPWDMAXLEN BINARY(4) Maximum password length

QPWDMINLEN BINARY(4) Minimum password length

QPWDPOSDIF CHAR(1) Limit character positions

QPWDRQDDGT CHAR(1) Required password digits

QPWDRQDDIF CHAR(1) Duplicate password

QPWDVLDPGM CHAR(20) Password validation program




QPWRDWNLMT BINARY(4) Power down limit

QPWRRSTIPL CHAR(1) Power restore IPL

QQRYDEGREE CHAR(10) Parallel processing degree

QQRYTIMLMT CHAR(10) Query processing time limit

QRCLSPLSTG CHAR(10) Reclaim spool storage

QRETSVRSEC CHAR(1) Retain server security data

QRMTIPL CHAR(1) Remote IPL

QRMTSRVATR CHAR(1) Remote service attribute

QRMTSIGN CHAR(20) Remote sign-on

QSCPFCONS CHAR(1) IPL action with console problem

QSECOND CHAR(2) Second

QSECURITY CHAR(2) Security level

QSETJOBATR ARRAY(16) of CHAR(10)

Set job attributes from locale

QSFWERRLOG CHAR(10) Software error log

QSHRMEMCTL CHAR(1) Shared memory control

QSPCENV CHAR(10) Special environment

QSRLNBR CHAR(8) Serial number

QSRTSEQ CHAR(20) Sort sequence table

QSRVDMP CHAR(10) Service dump

QSTGLOWACN CHAR(10) Auxiliary storage lower limit action

QSTGLOWLMT BINARY(4) Auxiliary storage lower limit

QSTRPRTWTR CHAR(1) Start printer writer

QSTRUPPGM CHAR(20) Startup program name

QSTSMSG CHAR(10) Status messages

QSVRAUTITV BINARY(4) Server authentication interval

QSYSLIBL ARRAY(15) of CHAR(10)

System library list

QTIME CHAR(9) System time

QTIMSEP CHAR(1) Time separator

QTOTJOB BINARY(4) Total jobs




QTSEPOOL CHAR(10) Time-slice end pool

QUPSDLYTIM CHAR(20) UPS delay time

QUPSMSGQ CHAR(20) UPS message queue

QUSEADPAUT CHAR(10) Use adopted authority

QUSRLIBL ARRAY(25) of CHAR(10)

User library list

QUTCOFFSET CHAR(5) Coordinated universal time offset

QVFYOBJRST CHAR(1) Verify object on restore

QYEAR CHAR(2) Year



Appendix B : Valid Network Attributes

Appendix BAppendix B: Valid Network Attributes

The following iSeries network attributes available since OS version V5R4 and can be used in the data source and monitor configuration to create custom monitors.

For an updated list of system values for future OS versions and detailed descriptions of each field, visit the IBM iSeries Information Center Web site:

http://publib.boulder.ibm.com/infocenter/systems/scope/i5os/topic/apis/qwcrneta.htm

Network attribute Type Description

ALRBCKFP CHAR(16) Alert backup focal point

ALRCTLD CHAR(10) Alert controller

ALRDFTFP CHAR(10) Alert focal point

ALRFTR CHAR(20) Alert filter

ALRHLDCNT BINARY(4) Alert hold count

ALRLOGSTS CHAR(7) Alert logging status

ALRPRIFP CHAR(10) Alert primary focal point

ALRRQSFP CHAR(16) Alert focal point to request

ALRSTS CHAR(10) Alert status

ALWADDCLU CHAR(10) Allow add to cluster

ALWANYNET CHAR(10) Allow AnyNet support

ALWHPRTWR CHAR(10) Allow HPR tower support

ALWVRTAPPN CHAR(10) Allow virtual APPN support

VRTAUTODEV BINARY(4) Autocreate APPC device limit

DDMACC CHAR(20) DDM request access

DFTCNNLST CHAR(10) Default ISDN connection list


Appendix B : Valid Network Attributes

DFTMODE CHAR(8) Default mode

DFTNETTYPE CHAR(10) ISDN network type

DTACPR BINARY(4) Data compression

DTACPRINM BINARY(4) Intermediate data compression

HPRPTHTMR CHAR(40) HPR path switch timers

JOBACN CHAR(10) Job action

LCLCPNAME CHAR(8) Local control point

LCLLOCNAME CHAR(8) Local location

LCLNETID CHAR(8) Local network ID

MAXINTSSN BINARY(4) Maximum sessions

MAXHOP BINARY(4) Maximum hop count

MDMCNTRYID CHAR(2) Modem country ID

MSGQ CHAR(20) Message queue

NETSERVER CHAR(85) Server network ID

NODETYPE CHAR(8) APPN node type

NWSDOMAIN CHAR(8) Network server domain

OUTQ CHAR(20) Output queue

PNDSYSNAME CHAR(8) Pending system name

PCSACC CHAR(20) Client Access

RAR BINARY(4) Addition resistance

SYSNAME CHAR(8) Current system name

Network attribute Type Description


Appendix C : Python Functions


Appendix CAppendix C: Python Functions

Among the several functions that Python provides, the following can be particularly useful for manipulating variables that return a list of variables inside a single string, that is to say, variables that contain multiple values:

Python Functions.find(sub[,start[,end]])�int/-1:offset of sub within start-end

s.rsplit([sep[,maxsplit]])�[string]:rightmost words delim. by sepa

s.split([sep[,maxsplit]])�[string]: words delimited by sep1

s.splitlines([keepends])�[string]:lines

a.Default chars/separator/fillchar is space

Appendix D : Contacting Tango/04

Appendix DAppendix D: Contacting Tango/04

North America

Tango/04 North AmericaPO BOX 3301NH 03458 Peterborough USA Phone: 1-800-304-6872 / 603-924-7391Fax: [email protected]

EMEA

Tango/04 Computing Group S.L.Avda. Meridiana 358, 5 A-B08027 Barcelona Spain Phone: +34 93 274 0051Fax: +34 93 345 [email protected]

Italy

Tango/04 ItalyViale Garibaldi 51/5313100 Vercelli Italy Phone: +39 0161 56922Fax: +39 0161 [email protected]

Sales Office in France

Tango/04 FranceLa Grande ArcheParoi Nord 15ème étage92044 Paris La Défense France Phone: +33 01 40 90 34 49Fax: +33 01 40 90 31 [email protected]

Sales Office in Switzerland

Tango/04 Switzerland18, Avenue Louis CasaïCH-1209 GenèveSwitzerland Phone: +41 (0)22 747 7866Fax: +41 (0)22 747 [email protected]

Latin American Headquarters

Barcelona/04 Computing Group SRL (Argentina)Avda. Federico Lacroze 2252, Piso 61426 Buenos Aires Capital FederalArgentina Phone: +54 11 4774-0112Fax: +54 11 [email protected]


Mailto:[email protected]

www.tango04.com


www.tango04.com


www.tango04.it


www.tango04.fr


www.tango04.fr


www.barcelona04.com

Sales Office in Peru

Barcelona/04 PERÚCentro Empresarial RealAv. Víctor A. Belaúnde 147, Vía Principal 140 Edificio Real Seis, Piso 6L 27 LimaPerú Phone: +51 1 211-2690Fax: +51 1 [email protected]

Sales Office in Chile

Barcelona/04 ChileNueva de Lyon 096 Oficina 702,ProvidenciaSantiagoChile Phone: +56 2 234-0898Fax: +56 2 [email protected]



www.barcelona04.com


www.barcelona04.com

About Tango/04 Computing Group

Tango/04 Computing Group is one of the leading developers of systems management and automation software. Tango/04 software helps companies maintain the operating health of all their business processes, improve service levels, increase productivity, and reduce costs through intelligent management of their IT infrastructure.

Founded in 1991 in Barcelona, Spain, Tango/04 is an IBM Business Partner and a key member of IBM's Autonomic Computing initiative. Tango/04 has more than a thousand customers who are served by over 35 authorized Business Partners around the world.

Alliances

Awards

Partnerships IBM Business Partner

IBM Autonomic Computing Business Partner

IBM PartnerWorld for Developers Advanced Membership

IBM ISV Advantage Agreement

IBM Early code release

IBM Direct Technical Liaison

Microsoft Developer Network

Microsoft Early Code Release


Legal Notice

The information in this document was created using certain specific equipment and environments, and it is limited in

application to those specific hardware and software products and version and releases levels.

Any references in this document regarding Tango/04 Computing Group products, software or services do not mean

that Tango/04 Computing Group intends to make these available in all countries in which Tango/04 Computing Group

operates. Any reference to a Tango/04 Computing Group product, software, or service may be used. Any functionally

equivalent product that does not infringe any of Tango/04 Computing Group's intellectual property rights may be used

instead of the Tango/04 Computing Group product, software or service

Tango/04 Computing Group may have patents or pending patent applications covering subject matter in this

document. The furnishing of this document does not give you any license to these patents.

The information contained in this document has not been submitted to any formal Tango/04 Computing Group test

and is distributed AS IS. The use of this information or the implementation of any of these techniques is a customer

responsibility, and depends on the customer's ability to evaluate and integrate them into the customer's operational

environment. Despite the fact that Tango/04 Computing Group could have reviewed each item for accurateness in a

specific situation, there is no guarantee that the same or similar results will be obtained somewhere else. Customers

attempting to adapt these techniques to their own environments do so at their own risk. Tango/04 Computing Group

shall not be liable for any damages arising out of your use of the techniques depicted on this document, even if they

have been advised of the possibility of such damages. This document could contain technical inaccuracies or

typographical errors.

Any pointers in this publication to external web sites are provided for your convenience only and do not, in any

manner, serve as an endorsement of these web sites.

The following terms are trademarks of the International Business Machines Corporation in the United States and/or

other countries: iSeries, iSeriese, iSeries, i5, DB2, e (logo)®Server IBM ®, Operating System/400, OS/400, i5/OS.

Microsoft, SQL Server, Windows, Windows NT, Windows XP and the Windows logo are trademarks of Microsoft

Corporation in the United States and/or other countries. Java and all Java-based trademarks and logos are

trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. UNIX is a

registered trademark in the United States and other countries licensed exclusively through The Open Group. Oracle

is a registered trade mark of Oracle Corporation.

Other company, product, and service names may be trademarks or service marks of other companies.


iseries agentless security user guide - helpsystems

Documents