Created
November 16, 2019 17:08
-
-
Save forstie/a47869f799aed5f7d552c7dc45489821 to your computer and use it in GitHub Desktop.
Security implementations can and should be monitored closely and on a regular cadence. This is one example where SQL can be used instead of the Analyze Default Passwords (ANZDFTPWD) command.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -- | |
| -- Note, this example might take a while to run because its doing an exhaustive evaluation of which | |
| -- users have *ALLOBJ special authority, either directly in their profile or indirectly via | |
| -- group profile membership. | |
| -- | |
| -- Next, those "super" users are evaluated to determine which (if any) of them have their password | |
| -- set to match their user profile. (aka using a default password) | |
| -- | |
| -- If this returns zero rows... good! | |
| -- | |
| -- | |
| -- *ALLOBJ users that have a default password (yikes!) | |
| -- | |
| select authorization_name, status | |
| from qsys2.user_info u | |
| where user_default_password = 'YES' and | |
| (special_authorities like '%*ALLOBJ%' | |
| or authorization_name in (select user_profile_name | |
| from qsys2.group_profile_entries | |
| where group_profile_name in (select authorization_name | |
| from qsys2.user_info | |
| where special_authorities like '%*ALLOBJ%'))) | |
| order by authorization_name; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment