What Is a File Share? A file share allows the directory it's associated with to be available from network interfaces. Think of your network as a long hallway. As you cruise down the hallway, most doors are closed, but a few doors are open (these are the file shares). If you show the guard your pass and it's valid (this is your i5/OS user profile and password), you're allowed to enter a closed door off the hallway. Sometimes, only you can open a certain door, and once it's opened, there's very little to see. (This is an example of a file share for a directory that has no subdirectories and contains only objects you or your group are allowed to work with.) However, on occasion, you may enter a door that takes you through a vast labyrinth of rooms and other hallways with wide-open doors for all to walk through. You may be amazed at the wealth contained in each of the rooms. (This is an example of a file share that's been assigned to the root ('/') directory. Once the root directory is shared, the QSYS.LIB file system is shared. What does that mean? That means that, assuming you have sufficient i5/OS authority, all libraries are available through your network, including the database files in those libraries. Imagine the "wealth" of information stored in those files!
File shares are often used to enable drive mapping. In the Windows world, shares are often defined to enable drive mapping for file and document sharing. The same can be implemented in the IFS. Imagine what is available to you—and every other user on the system—if you map a drive to root and the object authority of all libraries and files is at least *USE. All database files are now available through a Windows Explorer session. Using Risk Assessor to Examine File Shares With the SkyView Risk Assessor product, the SKYSHARES report lists all of the file shares, the directory they're assigned to, and whether they've been defined as read-only or read/write. The QPSECPVT report lists the public authority of root ('/') as well as the root's subdirectories so that you can determine the level of risk the file shares pose to your system. Risk Assessor also provides advice for controlling who can create and modify file shares. Finally, Risk Assessor lists whether a guest profile has been defined, which allows access to the system without an i5/OS profile and password. Using Policy Minder to Manage File Shares Policy Minder allows you to define which file shares your policy allows on each system. Initializing the File Share category will gather the shares currently on the system and define those as your initial policy. You can analyze that list and determine whether any shares need to be removed from the system. Then, when you run a compliance check on the File Share category, the category will be out of compliance if new file shares have been created or an existing file share removed from the system. This compliance check automates the process of managing file shares on your system.
In addition, you can use the Directory Authority category to automate the process of checking the authorities and ownership of IFS directories and files, ensuring those settings remain in compliance with your organization's policies.
File shares are not inherently a security risk, but they can be if they are assigned to the wrong directory or if the object-level security for the directory or library is not appropriate for its contents. Make sure you are using the features of the SkyView products to automate the checking of file shares and other policy settings. |
You must be logged in to view or make comments on this article