<< 1 >>
Rating: 
Summary: Not a good source for recent AS/400 info
Review: Because the book was published in 2001, and it used the AS/400 name in it's title, I expected it to be a good source on recent developments in security on the AS/400 (AKA the IBM iSeries). I am dissapointed. While the information that is included in the book seems generally accurate (I have a few quibbles in areas like QSECURITY, Adopted Authority, CHGSYSLIBL, and CRTAUT to name a few), the big problem is that there are huge chunks of current technologies that are not even addressed in this audit standard. Some examples include, the entire IFS (Integrated File System), Operations Navigator, NetServer and other network servers like SMTP, HTTP, FTP, etc. No reference to exit programs beyond the ancient PCSACC and DDMACC network attirbutes, spotty acknowledgement of System Values added after V3R1 (1995?) and a general lack of understanding of what the potential security exposures might be in areas that were audited. It's one thing to say that you should "discuss with management" the existance on a workstation entry in subsystem QDSNX, but what is an auditor to discuss if the author hasn't explained the potential security exposure? It may be a rally good book with respect ot the other OS's that it purports to cover, but from an OS/400 perspective it is not current enough to be very effective on modern versions.
Rating:
Summary: Not a good source for recent AS/400 info
Review: Because the book was published in 2001, and it used the AS/400 name in it's title, I expected it to be a good source on recent developments in security on the AS/400 (AKA the IBM iSeries). I am dissapointed. While the information that is included in the book seems generally accurate (I have a few quibbles in areas like QSECURITY, Adopted Authority, CHGSYSLIBL, and CRTAUT to name a few), the big problem is that there are huge chunks of current technologies that are not even addressed in this audit standard. Some examples include, the entire IFS (Integrated File System), Operations Navigator, NetServer and other network servers like SMTP, HTTP, FTP, etc. No reference to exit programs beyond the ancient PCSACC and DDMACC network attirbutes, spotty acknowledgement of System Values added after V3R1 (1995?) and a general lack of understanding of what the potential security exposures might be in areas that were audited. It's one thing to say that you should "discuss with management" the existance on a workstation entry in subsystem QDSNX, but what is an auditor to discuss if the author hasn't explained the potential security exposure? It may be a rally good book with respect ot the other OS's that it purports to cover, but from an OS/400 perspective it is not current enough to be very effective on modern versions.
<< 1 >>
| 
