|Partner TechTip: What's the Big Deal About File Shares?|
|Tips & Techniques - Security|
|Written by Carol Woodbury|
|Thursday, 27 September 2007 18:00|
What Is a File Share?
A file share allows the directory it's associated with to be available from network interfaces. Think of your network as a long hallway. As you cruise down the hallway, most doors are closed, but a few doors are open (these are the file shares). If you show the guard your pass and it's valid (this is your i5/OS user profile and password), you're allowed to enter a closed door off the hallway. Sometimes, only you can open a certain door, and once it's opened, there's very little to see. (This is an example of a file share for a directory that has no subdirectories and contains only objects you or your group are allowed to work with.) However, on occasion, you may enter a door that takes you through a vast labyrinth of rooms and other hallways with wide-open doors for all to walk through. You may be amazed at the wealth contained in each of the rooms. (This is an example of a file share that's been assigned to the root ('/') directory. Once the root directory is shared, the QSYS.LIB file system is shared. What does that mean? That means that, assuming you have sufficient i5/OS authority, all libraries are available through your network, including the database files in those libraries. Imagine the "wealth" of information stored in those files!
Using Risk Assessor to Examine File Shares
With the SkyView Risk Assessor product, the SKYSHARES report lists all of the file shares, the directory they're assigned to, and whether they've been defined as read-only or read/write. The QPSECPVT report lists the public authority of root ('/') as well as the root's subdirectories so that you can determine the level of risk the file shares pose to your system. Risk Assessor also provides advice for controlling who can create and modify file shares. Finally, Risk Assessor lists whether a guest profile has been defined, which allows access to the system without an i5/OS profile and password.
Using Policy Minder to Manage File Shares
Policy Minder allows you to define which file shares your policy allows on each system. Initializing the File Share category will gather the shares currently on the system and define those as your initial policy. You can analyze that list and determine whether any shares need to be removed from the system. Then, when you run a compliance check on the File Share category, the category will be out of compliance if new file shares have been created or an existing file share removed from the system. This compliance check automates the process of managing file shares on your system.