DSPPWDLMT -- Display Password Limit - QHST Display of Disabled

DSPPWDLMT DISPLAY PASSWORD LIMIT TAASEGR
The Display Password Limit command uses converted data from QHST and displays or prints the devices and/or user profiles that have been disabled because the QMAXSIGN system value limit has been reached. This provides a good review of attempted break-ins or users who are having trouble. There are 2 choices for operating on QHST: ** If you are using the DSPQHST2 tool, the CVTQHST2 is used to convert QHST. After CVTQHST2 is used, specify: DSPPWDLMT TYPE(QHST2) LIB(xxx) * If you are not using DSPQHST2, you must first use the CVTQHST command to convert the QHST log to the QHSTP file in a named library such as: CVTQHST QHSTFILE(ALL) QHSTPLIB(xxx) FROMDATE(TODAY) This converts all QHST messages for the current date. The DSPPWDLMT command may then be used: DSPPWDLMT TYPE(QHST) LIB(xxx) The processing varies somewhat depending on your setting of the QMAXSGNACN system value. The system shipped default value is '3' which will cause both the device to be disabled (varied off) and the user profile to be disabled if the QMAXSIGN system value limit is reached. Both type of QHST processing produce similar output. The listing provides one line for the device/user that was disabled. Additional lines print with one line per user profile name and the number of attempted signons. System values ------------- QMAXSIGN The number of signon attempts before the device and/or user profile is disabled. The system shipped default allows for 3 invalid attempts before taking action. If the limit is reached, the QMAXSGNACN system value determines the action to be performed. QMAXSGNACN The action to be taken when the QMAXSIGN limit is reached. 1 = Disable device 2 = Disable user profile 3 = Disable both the device and user profile Note that the system does not provide a QHST message if the user attempts to signon onto a user profile that does not have a password. SECOFR2 Menu ------------ The TAA supplied SECOFR2 menu may be used to enable a user profile and vary on a device if they were disabled. Each option on the menu is controlled by an authorization list to allow authorized users to perform the functions. Differences with DSPPWDLMT2 --------------------------- DSPPWDLMT2 lists the users who have successfully signed on after one or more invalid password attempts for a user profile that is specified in the USRPRF list. DSPPWDLMT lists the devices and/or users that have been disabled because the QMAXSIGN value has been exceeded. Processing considerations ------------------------- The DSPPWDLMT function searches for the CPF2234 message ID that describes that an invalid password has been entered. The information about the device and user profile are stored in internal arrays. If the CPF1397 message appears, the device has been disabled (varied off). If the CPF1393 message appears, the user profile has been disabled. Both conditions are possible if the QMAXSGNACN value is '3'. The internal entries are reset following printing or if the CPF1124 message (job start) is found meaning a successful signon. All array entries are reset if the CPF0993 message (start of controlling subsystem) appears. DSPPWDLMT escape messages you can monitor for --------------------------------------------- None. Escape messages from based on functions will be re-sent. Command parameters CMD ------------------ TYPE The type of converted QHST file you are using. QHST should be entered if you have used CVTQHST to create a QHSTP file in a named library. QHST2 should be entered if you have used CVTQHST2 to create a QHST2 file in a named library. LIB The library containing the QHSTP file that was created by CVTQHST or the QHST2 file created by CVTQHST2. The TYPE parameter determines which file must exist. FROMDATE The date and time of the first QHST message to be considered. The default is FIRST to use the first QHST message. The special value CURRENT may be entered to mean today's date. A specific date may be entered in job format. If no date is entered, a date of Jan 1, 1940 is used. A specific time may be entered in HHMMSS format. If no time is entered, a time of 000000 is used. TODATE The date and time of the last message to be considered. The default is LAST to use the current date and the last message in the file. A specific date may be entered in job format. If no date is entered, the current date is used. A specific time may be entered in HHMMSS format. If no time is entered, a time of 235959 is used. OUTPUT How to output the results. is the default to display the spooled file if the command is entered interactively. The spooled file is deleted after it is displayed. If the command is entered in batch or PRINT is specified, the spooled file is output and retained. Restrictions ------------ There is a limit of 50 user profile names that may be stored per device until reset by printing or a successful signon. There is a limit of 9999 devices that may be stored until reset by printing or a successful signon. Because the processing varies somewhat based on the setting of QMAXSGNACN, the code assumes that all messages being processed occurred during the current setting of QMAXSGNACN. Prerequisites ------------- The following TAA Tools must be on your system: CHKOBJ3 Check object 3 CVTTIM Convert time EDTVAR Edit variable RSNLSTMSG Resend last message RTVDAT Retrieve date RTVSYSVAL3 Retrieve system value 3 SNDCOMPMSG Send completion message SNDESCINF Send escape information SNDESCMSG Send escape message SNDSTSMSG Send status message Implementation -------------- None, the tool is ready to use. Objects used by the tool ------------------------ Object Type Attribute Src member Src file ------ ---- --------- ---------- ---------- DSPPWDLMT CMD TAASEGS QATTCMD TAASEGSC PGM CLP TAASEGSC QATTCL TAASEGSR PGM RPG TAASEGSR QATTRPG

DSPPWDLMT       DISPLAY PASSWORD LIMIT                 TAASEGR


The Display Password  Limit command uses  converted data from  QHST and
displays  or prints  the devices  and/or user  profiles that  have been
disabled  because  the QMAXSIGN  system value  limit has  been reached.
This provides a  good review  of attempted break-ins  or users who  are
having trouble.

There are 2 choices for operating on QHST:

  **   If  you are using  the DSPQHST2  tool, the  CVTQHST2 is  used to
       convert QHST.  After CVTQHST2 is used, specify:

             DSPPWDLMT  TYPE(*QHST2) LIB(xxx)

  **   If  you are not using  DSPQHST2, you must  first use the CVTQHST
       command to convert  the QHST log  to the QHSTP  file in a  named
       library such as:

             CVTQHST    QHSTFILE(*ALL) QHSTPLIB(xxx)
                           FROMDATE(*TODAY)

       This converts all QHST messages for the current date.

       The DSPPWDLMT command may then be used:

             DSPPWDLMT  TYPE(*QHST) LIB(xxx)

The  processing  varies  somewhat  depending on  your  setting  of  the
QMAXSGNACN  system value.    The system  shipped default  value  is '3'
which will cause both  the device to be  disabled (varied off) and  the
user profile  to  be disabled  if the  QMAXSIGN system  value limit  is
reached.

Both  type of  QHST  processing produce  similar output.    The listing
provides  one line for  the device/user that  was disabled.  Additional
lines print  with one  line per  user profile  name and  the number  of
attempted signons.

System values
-------------

   QMAXSIGN      The  number  of  signon  attempts  before  the  device
                 and/or  user profile is disabled.   The system shipped
                 default allows for  3 invalid  attempts before  taking
                 action.   If  the  limit  is reached,  the  QMAXSGNACN
                 system  value determines  the action to  be performed.

   QMAXSGNACN    The action  to be  taken when  the QMAXSIGN  limit  is
                 reached.

                      1 = Disable device
                      2 = Disable user profile
                      3 = Disable both the device and user profile

Note that  the  system does  not provide  a  QHST message  if the  user
attempts to  signon onto a user profile that  does not have a password.

SECOFR2 Menu
------------

The  TAA supplied  SECOFR2 menu  may be used  to enable  a user profile
and vary on a  device if they were disabled.   Each option on the  menu
is controlled  by an  authorization list to  allow authorized  users to
perform the functions.

Differences with DSPPWDLMT2
---------------------------

DSPPWDLMT2  lists the users  who have successfully signed  on after one
or  more  invalid  password  attempts  for  a  user  profile   that  is
specified in the USRPRF list.

DSPPWDLMT  lists  the devices  and/or  users  that have  been  disabled
because the QMAXSIGN value has been exceeded.

Processing considerations
-------------------------

The  DSPPWDLMT  function  searches  for  the  CPF2234 message  ID  that
describes that an invalid password  has been entered.  The  information
about the device and user profile are stored in internal arrays.

If the CPF1397  message appears, the  device has been  disabled (varied
off).

If the CPF1393 message appears, the user profile has been disabled.

Both conditions are possible if the QMAXSGNACN value is '3'.

The  internal entries are  reset following  printing or if  the CPF1124
message (job start) is found meaning a successful signon.

All   array  entries  are  reset  if  the  CPF0993  message  (start  of
controlling subsystem) appears.

DSPPWDLMT escape messages you can monitor for
---------------------------------------------

None.  Escape messages from based on functions will be re-sent.

Command parameters                                    *CMD
------------------

   TYPE          The type of converted QHST file you are using.

                 *QHST should be  entered if you  have used CVTQHST  to
                 create a QHSTP file in a named library.

                 *QHST2  should be  entered if  you have  used CVTQHST2
                 to create a QHST2 file in a named library.

   LIB           The  library   containing  the  QHSTP  file  that  was
                 created by  CVTQHST  or  the  QHST2  file  created  by
                 CVTQHST2.   The TYPE  parameter determines  which file
                 must exist.

   FROMDATE      The  date and  time of  the first  QHST message  to be
                 considered.  The  default is *FIRST  to use the  first
                 QHST message.

                 The  special value  *CURRENT may  be  entered to  mean
                 today's date.

                 A specific  date may be entered in job  format.  If no
                 date is entered, a date of Jan 1, 1940 is used.

                 A  specific time may be entered  in HHMMSS format.  If
                 no time is entered, a time of 000000 is used.

   TODATE        The  date  and  time   of  the  last  message  to   be
                 considered.   The default is *LAST to  use the current
                 date and the last message in the file.

                 A  specific date may be entered in  job format.  If no
                 date is entered, the current date is used.

                 A specific time may be  entered in HHMMSS format.   If
                 no time is entered, a time of 235959 is used.

   OUTPUT        How  to output  the  results.   *  is  the default  to
                 display  the spooled  file if  the command  is entered
                 interactively.  The spooled  file is deleted after  it
                 is displayed.

                 If  the command  is  entered  in  batch or  *PRINT  is
                 specified,  the spooled file  is output  and retained.

Restrictions
------------

There  is  a limit  of 50  user profile  names that  may be  stored per
device until reset by printing or a successful signon.

There is  a limit of  9999 devices that  may be  stored until reset  by
printing or a successful signon.

Because  the  processing  varies  somewhat  based  on  the  setting  of
QMAXSGNACN,  the   code  assumes  that  all  messages  being  processed
occurred during the current setting of QMAXSGNACN.

Prerequisites
-------------

The following TAA Tools must be on your system:

     CHKOBJ3         Check object 3
     CVTTIM          Convert time
     EDTVAR          Edit variable
     RSNLSTMSG       Resend last message
     RTVDAT          Retrieve date
     RTVSYSVAL3      Retrieve system value 3
     SNDCOMPMSG      Send completion message
     SNDESCINF       Send escape information
     SNDESCMSG       Send escape message
     SNDSTSMSG       Send status message

Implementation
--------------

None, the tool is ready to use.

Objects used by the tool
------------------------

   Object        Type    Attribute      Src member    Src file
   ------        ----    ---------      ----------    ----------

   DSPPWDLMT     *CMD                   TAASEGS       QATTCMD
   TAASEGSC      *PGM       CLP         TAASEGSC      QATTCL
   TAASEGSR      *PGM       RPG         TAASEGSR      QATTRPG

Added to TAA Productivity tools December 1, 2006

Home Page

Up to Top