28
Sat, Dec
0 New Articles

Security Patrol: The Hidden Jewels of OS/400 Security

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times
Rather than talk about the obvious, this article talks about the not-so-obvious or the forgotten: the "hidden jewels" of OS/400 security that will help make your life easier and your system more secure.

Check Object Integrity (CHKOBJITG)

Did you know that, in V5R1, OS/400 is digitally signed? And to that I hear you say, "So what?" Well, OS/400 is the only operating system in the midrange market today that ensures its own integrity. Because OS/400 has been digitally signed before leaving IBM, you can use the CHKOBJITG command to ensure that OS/400 has not been tampered with since being installed on your system. It will also check certain attributes of user programs, commands, and other objects to ensure they have not been tampered with either. CHKOBJITG is, in essence, a virus scanner for OS/400.

You should run this command on a regular basis but, because it can be quite long-running, run it only when your system is the least busy (if such a time exists on your system!) or run it as a background job that uses the spare cycles of your CPU. The output is a file that contains a list of any objects that have been tampered with.

Display User Profile (DSPUSRPRF)

I can hear it now: What's not obvious about the DSPUSRPRF command? If you simply run the command to display the attributes of a specified user, it is obvious. But less obvious are all of the options you have for displaying specific information about a specific user. You can display the objects owned, objects authorized, commands authorized, and, my favorite, the members of a group profile. For example, running the following command will list all of the members of the Accounting Group (GRP_ACCTG):

DSPUSRPRF GRP_ACCTG *GRPMBR 


Another aspect of DSPUSRPRF is the ability to send the requested information to an outfile. Run the following command to get all of the information about all users on the system:

DSPUSRPRF *ALL OUTPUT(*OUTFILE) OUTFILE(CJW/ALL_USERS) 


With all of this in an outfile, you can slice and dice the information any way you want to discover many interesting things about the users on your system.

Print User Profile (PRTUSRPRF)

PRTUSRPRF is a variant of DSPUSRPRF except that it goes to a spooled file with no other output option. Also, it only shows information about all users on the system (unlike DSPUSRPRF, which allows you to specify *ALL, one, or a generic name range). With few exceptions, this report shows all of the security attributes of every user on the system in one report. The only attributes it does not show are the profiles with default passwords and the auditing attributes.

Outfiles Produced by the Security Tools

Although most people know about OS/400's security tools (reached by typing GO SECTOOLS on an OS/400 command line), many people don't know about the outfiles that many of the tools produce. These outfiles provide a wealth of information to query to produce your own reports or the exact combination of information that you find meaningful. Most, but not all, of the tools produce an outfile before the report associated with the tool is printed. To determine if a tool does create an outfile, type in the command name or take a menu option off the SECTOOLS menu. Put your cursor on the title line of the command and hit Help (F1). The text describes any outfiles that are created, along with the format used to produce the file.

Change Ownership (CHGOWN) and Change Authority (CHGAUT)

I am often asked, "How do I change the ownership of all of the objects in a library?" While it may not be obvious, the commands that help you manage authorities in the Integrated File System (IFS) can also help you manage OS/400 authorities. The CHGOWN command allows you to change the ownership of all of the objects in a library in one fell swoop. The following command allows you to change the ownership of all of the objects in the CJW_LIB library:

CHGOWN OBJ('/QSYS.LIB/CJW_LIB/*.*')  


In the same way, the CHGAUT command allows you to change the authority of all the objects in a library. Running the following command changes the *PUBLIC authority of all of the files in the CJW_LIB library to the equivalent of *USE:

CHGAUT OBJ('/QSYS.LIB/CJW_LIB/*.FILE') USER(*PUBLIC) OBJAUT(*NONE) DTAAUT(*RX)

*PGMADP Auditing Value

OS/400 auditing is very powerful. One of my favorite auditing values is *PGMADP, which causes OS/400 to generate an audit journal entry when adopted authority is used to gain access to a resource (a file or library or directory, for example). When trying to track down how a certain "incident" occurred--for example, a very powerful user profile gets created or a program is created into production without going through change control--it is often useful to add this value to the QAUDLVL system value. These incidents often occur because users exploit adopted authority. If you suspect you know who performed the incident, you can use the Change User Auditing (CHGUSRAUD) command and turn on *PGMADP for this user or a set of users. I recommend turning this on at the user level if at all possible, since many applications use adopted authority for their security scheme. If you turn it on at the system level, you tend to get many entries besides the ones you are really looking for. Once you've turned on this level of auditing, you will want to regularly check the audit journal for AP entries. These audit journal entries provide you with the name of the program that adopts the authority and the profile whose authority was adopted and used to perform the task the user would not normally be authorized to perform. I have seen this feature used to catch programmers who were exploiting adopted authority to create powerful profiles that they could then use to perform other "interesting" tasks.

Web Site to Check CERT Advisories

We hear of security advisories coming out of CERT, and most of them have no effect on OS/400, but how can you be sure? Check out IBM's Resource Link Web site. You do have to register to get information from this site. And even after signing in, you still have to hunt a bit (this is truly a hidden jewel). The key is to click on "Problem solving" in the left nav bar. Then, under the Hardware heading, go to the subheading of Alerts and click on the link for Security alerts. One of the confusing parts of this Web site is that it appears to be a zSeries Web site. And it is. But IBM expanded the information available to include AIX, OS/400, and xSeries. The OS/400 information is provided by IBM Rochester personnel who have the knowledge and resources available to do the research and make an accurate determination as to whether OS/400 is affected by specific vulnerabilities. It's pretty cool. I recommend that you check it out.

Enterprise Identity Mapping

EIM is hidden, and that's really the way it's supposed to be. This "jewel" is a technology that is not a solution unto itself but a technology that enables really cool stuff, including single sign-on and user management tools. Another cool feature is that this technology is not limited to the iSeries. It has been integrated into the pSeries and zSeries as well. Combined with Kerberos, EIM provides the capability to have an enterprise-wide single sign-on implementation. Is that cool or what? A couple of vendors have already taken advantage of this technology and are providing products to aid you in managing the single sign-on environment. You can be certain that more vendors will be integrating this technology into their solutions in the future. In other words, watch this space!

Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting and services and offering the recently released software, SkyView Risk Assessor for OS/400. Carol has over 13 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 Security, to be released in May. Carol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: