The Security Patrol discusses security topics and implementation tips, and answers your security questions. I welcome questions, security recommendations and suggestions for security topics you would like discussed in detail. Submit your questions to the MC-BBS or fax them directly to me at (507) 252-9615. I cannot answer every question, but I'll try to answer those questions of a general nature.
Please include your phone number and indicate if your name can be published with the questions. -Wayne O. Evans, Chief of Security
Q:In the September issue of MC, you recommended the use of a program that adopts access to browse the contents of the user profile (*USRPRF) rather than *PUBLIC access of *USE. If user profiles have *PUBLIC authority of read only they can be displayed but the user does not have enough authority (*USE) to submit a job as another user.
A: The solution suggested by Peter works. If a user profile has read authority, it can be displayed, but cannot be used to submit jobs as the user-so there is no security risk with this alternative. However, this alternative has its limitations. New user profiles will be created with *EXCLUDE access, making a change in authority necessary if these new user profiles are to be displayed. The use of a program that adopts is more flexible and eliminates the need to change the *PUBLIC access on new profiles.
Q:I wanted to limit access to data, so I decided to change the system value QCRTAUT from *CHANGE to *USE. When I made the change, users could not sign on from system-created device and controller descriptions. I had to change the system value back to *CHANGE so that users can sign on at the automatically created device and controller descriptions. Why is *CHANGE access required to sign on?
A: *CHANGE authority is required for the device description because each device has an associated message queue. The users must have enough authority to read and remove messages from the device message queue. Because of the message queue, the system requires *CHANGE authority to the device description for users to sign on.
If you would like to set the system value QCRTAUT to *USE, set the CRTAUT attribute of the QSYS library to *CHANGE. When you set the library CRTAUT attribute, the system value is not used for that library. Objects, including the automatically configured devices and their associated message queue, stored in library QSYS will have *CHANGE authority, but the *PUBLIC authority for objects created into other libraries will be *USE.
Q:Operators with *JOBCTL special authority can use the Display Job Log (DSPJOBLOG) or the Work with Active Jobs (WRKACTJOB) command to display the job log of active users. However, these commands cannot display the job log of a subsystem. How can I display the job log of an active subsystem?
A:Subsystems run under the IBM user profile QSYS which has security officer access. The system prevents users who are not security officers from viewing the job log of a job run by a security officer. This limitation, carried over from the S/38 when job logs contained user passwords, still applies on the AS/400.
Only a security officer can view the job log of a job initiated by a security officer. I assume that you do not want to give security officer status to system operators to allow them to view the job log of subsystems. Instead, why don't you create a CL program that adopts security officer authority and prompts the DSPJOBLOG command? You can do this by creating the program signed on as a user with user class of *SECOFR or special authority of *SECADM.
1 shows a program that adopts the security officer's authority. Any user of this program is granted access to display the job log for any active job. The question mark activates prompting when the user calls the program so the job log of any job can be displayed. I have given the program itself *USE public authority. This results in a slight security exposure since this program allows users that do not have *JOBCTL authority to view the job log of any user if he knows the name of the job. If you are concerned about this exposure, then AS/400 security can restrict the user profiles that can call the program.
Figure 1 shows a program that adopts the security officer's authority. Any user of this program is granted access to display the job log for any active job. The question mark activates prompting when the user calls the program so the job log of any job can be displayed. I have given the program itself *USE public authority. This results in a slight security exposure since this program allows users that do not have *JOBCTL authority to view the job log of any user if he knows the name of the job. If you are concerned about this exposure, then AS/400 security can restrict the user profiles that can call the program.
The program is inconvenient because the user must enter the complete job name, which means he must first use WRKACTJOB to find the job number for the active subsystem. Do not write a program which adopts the security officer's authority to the WRKACTJOB command since WRKACTJOB has a command line. One of the fundamental design rules for programs that adopt is never allow the user access to the command line. Adopting authority in a program which runs this command would give the operators command line access as the security officer.