04
Fri, Oct
2 New Articles

Security Patrol

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Tracking File Downloads

Question: We have users who regularly download files via the download function of Client Access (V3R2). I would like to know if there is an audit anywhere that captures what is being downloaded (i.e., the SELECT statements on the download request as well as which files) and by whom. If there is nothing in the operating system, what could I do (e.g., exit points, something attached to QUSER that services the requests) to capture this information to a file?

Answer: Exit points and exit programs can capture auditing information for you with an amazing level of detail. An exit program on the Client Access file transfer function can show you who downloaded the file, what file she downloaded, when exactly the download took place, and whether the request was successful. But you probably want to audit more than just the Client Access file transfer facility, as there are several other IBM services that allow one to transfer data to the desktop. Figure 1 (page 108) has a list of exit points that enable bulk data transfer from the AS/400 to a remote client. You can write exit programs for these IBM servers and cause their results to be logged for auditing purposes. A simple exit program might record the data, time, user name, and file name of the transfer request. This information will give you the ability to see what data is being downloaded from your AS/400—an ability that you don’t have today. There are commercial exit point packages that you can buy, or you can write your own that will monitor these download servers. If you write your own, be sure that you handle all of the different download points, as you can never tell what service a client might choose to use.

Unfortunately the specifications for writing exit programs are strewn across several IBM manuals: the OS/400 TCP/IP Configuration and Reference V4R4 manual (SC41-
5420), the Distributed Data Management manual (SC41-5307), and the Client Access Express Host Servers V4R4MO manual (SC41-5740). But with persistence, you can gather all of this information together and create exit programs that monitor these download servers.

Expiring Passwords

Question: I am struggling to explain OS/400 password expiration parameters to my internal auditors. I presented them with a report using PRTUSRPRF [Print User Profile] with *PWDINFO information. The QPWDEXPITV system value (Password Expiration


Interval) is set to 30 days. There are a number of profiles listed on the report with *SYSVAL in the expiration interval who have not signed on in the past 31 (or more) days, yet the report says NO in the Password Expired field. I have scoured the report for clues but can find no pattern in the other parameters that may affect whether a password expires. Can you provide any further insight?

Answer: The Password Expired field in the PRTUSRPRF report simply indicates that the PWDEXP parameter in the user profile is set to *YES. Because it is possible for a security administrator to expire a user’s password manually prior to the password expiration interval (system value QPWDEXPITV, or user profile parameter PWDEXPITV), the report necessarily details which profiles have had their PWDEXP flag turned on. The report does not indicate a YES in the Password Expired column if the date of the last change for the password is older than the password expiration interval (though a reasonable person could argue that it should); the report assumes that you will do the math yourself. But rest assured that any profile that has exceeded the PWDEXPITV value has expired its password. Though the report does not directly state this, you can infer it by comparing PWDEXPITV with the date the password was changed and the current date.

Limiting *ALLOBJ Users

Question: Our system auditor wants me to set her up with *ALLOBJ special authority, but the director doesn’t want her to be able to look in certain libraries such as payroll. What is the best way to go about doing this?

Answer: It is impossible to keep an *ALLOBJ user out of any library. *ALLOBJ really means all objects: A user with *ALLOBJ special authority can read, change, and delete anything on the system. Even worse, an enterprising user with just *ALLOBJ can quickly gain any other special authority (*SECADM, *AUDIT, *IOSYSCFG, etc.) that he desires. It is simply not possible to secure a system from a user who has *ALLOBJ special authority.

Moving from QSECURITY Level 20

Question: On our last audit, one of the items we got dinged on was QSECURITY level 20. The auditor recommended going to at least level 30 so that object security is installed. After we changed to level 30 and IPLed, our software vendor had us run a program that caused all of the user profiles on our system to have the *ALLOBJ authority. They said that this was the only way their software will work at QSECURITY 30. Isn’t giving *ALLOBJ authority worse than being at QSECURITY level 20?

Answer: It’s not worse; it’s the same. The only difference between QSECURITY level 20 and level 30 is simply that every user profile has *ALLOBJ special authority at security level 20 and only a very limited number of profiles have *ALLOBJ special authority at level 30 (well, normally).

Effectively, what your software vendor has done for you (or should I say to you?) is cause your system security to run at level 20 even though the value in the QSECURITY system value is 30.

But don’t count on fooling your auditors with this cheap ruse. Another item that IS auditors love to write up is too many users with elevated authority. If your auditors are worth even half their cost, they’ll spot this major security hole and write it up in big bold letters. And they’ll have a point: A user with *ALLOBJ special authority has unfettered access to anything on your system. That means the user can read, change, or delete any object that he can see (and he can see *ALL objects). I recommend that you not fight the auditors on this point and seriously address their concern.


That means you’re going to have to call the software vendor’s bluff. AS/400 security is too good to require that every user of an application have security officer rights. The problem here is not with the software but with the vendor’s lack of understanding of its own software or AS/400 security, or both. Apply some pressure on the vendor to provide you with a security plan that will work for users who do not have *ALLOBJ special authority. Many times, the vendor already has this plan; it would just prefer not to disseminate that plan because it’s easier to troubleshoot problems if it can immediately dismiss the entire issue of inadequate authority. If the vendor doesn’t have a plan in place, then you can be the catalyst that pushes it into security compliance. I’ve gone this route with a number of AS/400 vendors, and, while they weren’t overjoyed at first, they found that the end result was worth sharing with their other customers. So press your vendor for a viable security plan and make sure it understand that its lack of a security model is causing you to fail audits.

I must state unequivocally that, regardless of vendor assertions to the contrary, I have never seen a package that could not run with standard AS/400 security implementation. If the vendor still cannot or will not provide a security plan, you can build one for yourself by applying some basic security concepts. The first concept is that precious few users should have *ALLOBJ authority. The best way to eliminate *ALLOBJ authority is slowly. I usually start with a single user and experiment with the application. You can pick one test user profile and remove *ALLOBJ special authority from its profile, or you can create a new user profile that resembles existing profiles in every way except that it does not have *ALLOBJ special authority. Use that user profile over the course of a business cycle to determine if there are any security issues, and address those issues as they arise. This technique involves a bit more work (and a bit more pain) than a vendor- driven plan does, but it is a lot less painful than restoring deleted or corrupted files that a too-powerful user trashed.

John Earl is chief technology officer for the PowerTech Group in Tukwila, Washington, and a security editor for Midrange Computing. He can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it.
.

Server Server Format Description

*SQL QIBM_QZDA_INIT SQL Initialization *SQLSRV QIBM_QZDA_SQL1, QIBM_QZDA_SQL2 SQL Server 512 Bytes, 32 KB *NDB QIBM_QZDA_NDB1 Native Database Server *DDM Network Attributes DDMACC Distributed Data Management (DDM) Server

*DRDA Network Attributes DDMACC Distributed Relational Database

Architecture (DRDA) Server *RQSRV QIBM_QRQ_SQL Original PC Support SQL Server *TFRFCL QIBM_QTF_TRANSFER Original PC Support File Transfer Server *FILESRV QIBM_QPWFS_FILE_SERV File Server, NetServer
*FTPSERVER QIBM_QTMF_SERVER_REQ FTP Server
*TFTP QIBM_QTOD_SERVER_REQ Trivial FTP Server

Figure 1: Several exit points enable bulk data transfer from the AS/400 to a remote client.


John Earl

John Earl is the founder and Director of Technology and Security for  The PowerTech Group.  a Seattle-area software company that specializes in System i security. He has over 25 years experience with IBM midrange systems and security, has published numerous articles and columns for industry magazines, and served as a Subject Matter Expert (SME) for Security for COMMON. A highly regarded speaker on OS/400 and i5/OS security, Mr. Earl has presented several hundred of iSeries security sessions at industry conferences and user groups all over the world. He is a three-time winner of COMMON's Speaker Excellence award and has also served on the board of directors of COMMON U.S.

 

He can be reached at 253.872.7788 or at This email address is being protected from spambots. You need JavaScript enabled to view it..

 

 

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: