26
Thu, Dec
0 New Articles

Security Patrol: What I Hope You've Learned

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Editor's Note: Carol is leaving her role of security officer, and this is the last "Security Patrol" column she'll be writing for MC Mag Online. This article summarizes her wishes for how you'll address your company's security.

Stop Procrastinating

The security configuration of your iSeries system must be addressed. I can't state it in stronger terms. Contrary to what some people believe, OS/400 and i5/OS do not ship in a secure state. You must take action to ensure that the system and its data are secure. The good news is that OS/400 and i5/OS are among the most "secure-able"--if not the most secure-able--systems available.

But some of you continue to ignore the issue. I think I've heard all the excuses. Here are a couple of my favorites:


  • "Nothing has happened to my system yet." My answer to that is, "How do you know?" These are always shops that haven't turned on auditing and haven't created regular reports to monitor the user accounts on their system. Nor do they monitor access to critical files. They may think nothing has happened to their system or their data, but they have no way to prove it!
  • "We can't afford the performance overhead." My answer to that excuse is this: An easy-to-understand and easy-to-maintain security scheme will not cause performance overhead. Throughout the releases of OS/400 and i5/OS, IBM has made many performance enhancements that have eliminated the performance overhead associated with private authorities and authorization lists that plagued the early releases of OS/400. Simply put, you have to try really hard to make a security scheme be the cause of a performance issue.

Given the regulatory issues facing most companies today, you really don't have a choice but to start down that "dreaded" security road.

Don't Get Overwhelmed

I understand that the task of securing your enterprise can be overwhelming, especially when you face the list of tasks you feel need to be accomplished. But you don't have to fix everything at once. I recommend that you determine what all of your issues are, understand the risk associated with each issue, rank the issues in priority order according to risk, and lay out a plan to fix them. Start with the "low-hanging fruit"--the issues that are easy to remediate but, when fixed, significantly reduce your risk (e.g., default passwords and user accounts that are inactive). For the issues you cannot get to right away, develop project plans and prioritize them with the rest of your tasks. For the issues that you determine will never be remediated, write up a business risk acceptance statement. Written risk acceptance statements are important, especially when you're being audited. Before you can write this statement, you have to have examined the risk associated with the issue, compared it to your business requirements, and made a conscious choice to leave the issue alone. This shows the auditor that you understand your business and made conscious choices regarding your business needs.

Stop Propagating the Problem

Sometimes, the thought of fixing an issue can be so daunting that you just don't know where to start. In this case, I recommend that, for the time being, you stop focusing on the issue as it exists on the system and make a conscious choice to stop propagating the problem or making the problem any worse than it is.

For example, you may have many users on the system who have been placed in group profiles even though they don't need the access provided to the group or did at one time and no longer need the access. This is often the case when a user changes departments or job function.

I've found that most iSeries administrators copy an existing profile when creating a new profile. My suggestion is to stop copying an existing profile without first examining the group or groups into which the user is to be placed. Look at the access the group has by running the Display User Profile (DSPUSRPRF) command, naming the group profile, and specifying to see the objects the group owns (*OBJOWN). Then, run the command again, specifying to see the objects to which the group has been given a private authority (*OBJAUT). Assign users to a group only if they need the same access to the same objects that the group provides. As some point, a review all of the members of each group profile should be conducted and a determination made as to whether they should still be a member of the group. But in the meantime, you can take steps to not make the problem of unnecessarily assigning users to groups any worse than it already is.

Object Authority Has the Final Say

By now, I hope you all understand that relying on menu "security" is the equivalent of locking the front door of your house with the best lock available but leaving your back door wide open. Objects (programs, data areas, commands and, most important, database files) can be accessed via DDM, FTP, command lines, sockets applications, Web applications, remote procedure calls, and so forth. If users have sufficient authority to access files through one of these interfaces, OS/400 will let them. However, if a user who has only *USE authority to the file tries to update the file using ODBC, OS/400 prevents the action. Other techniques are advertised, but the only sure way to ensure that a file is not accessed outside of an application is to use object-level security. Object authority is always in effect, and OS/400 cannot bypass an object authority check.

Some of you get overwhelmed by the concept of object authority because you think you have to literally secure every object on the system. That's simply not the case. Here's why: Before you can access an object, you have to have authority to its library or directory. When you secure the library or directory, the objects in it are also inherently secured. For example, typically only the HR department needs access to HR applications. Give the HR_GROUP profile *USE authority to the application libraries and set *PUBLIC authority to *EXCLUDE. Now, you've significantly reduced the chance that the HR database is going to be exploited because only the users assigned to the HR_GROUP can access objects in the HR libraries. Other users will be prevented from accessing the HR database because *PUBLIC authority has been set to *EXCLUDE.

Libraries and database files do not come secure by default. You must consciously determine which libraries to restrict and which ones to allow open access to.

Don't Ignore the Integrated File System (IFS)

Most companies today are ignoring IFS security. The root ('/'') directory ships with *PUBLIC authority set to the equivalent of *ALL--that is, DTAAUT(*RWX) and OBJAUT(*ALL). Given that most directories inherit the *PUBLIC authority of their parent directory, the directories that have been created on your system are also the equivalent of *PUBLIC *ALL unless you have set them otherwise. A wide-open IFS in an invitation to store all sorts of inappropriate items in this directory structure. Imagine it, and it's probably been stored there--PC backups, pornography, music, and movies. Yes, the IFS is a wonderful storage area if not locked down. I strongly encourage you to set the root directory to DTAAUT(*RX) and OBJAUT(*NONE) and limit the use of file shares that make the directory available throughout your internal network.

Viruses are another issue associated with the IFS. Just as I've mentioned locking down the IFS, I've also mentioned the need to virus scan the IFS. Don't forget this important step!

By the way, did you know that you can and should virus scan OS/400? The little-known Check Object Integrity (CHKOBJITG) command is essentially a virus scanner for OS/400. It checks the digital signatures of objects and looks for signs that OS/400 has been tampered with since being shipped from IBM.

A Wealth of Information

Knowledge is power, as the saying goes, but, in my opinion, you don't have to know everything; you just need to know where to obtain the knowledge. You can find most of the answers to your security questions at the IBM Information Center in the iSeries Security Reference manual. (To find the Security Reference manual on the Information Center site, expand the "Security" topic in the left nav pane. The manual is available there via a downloadable PDF.)

  • Chapter 2 describes moving to higher security levels from levels 20 or 30.
  • Chapter 6 describes how to secure spooled files.
  • Chapter 9 describes auditing functions.
  • Appendix B describes the IBM-supplied profiles and their shipped settings.
  • Appendix D (my favorite section of this manual!) describes the authorities required to run a particular CL command. For example, to run the Submit Job (SBMJOB) command, the table shows all of the objects (job description, user profile, etc.) that can be specified and the authority the user needs to each object for the command to run successfully.
  • Appendix F provides the layout of each of the audit journal model outfiles that are shipped in QSYS.

If you're looking for practical applications of OS/400 functionality rather than "just the facts" as offered in most IBM publications, see my latest book, Experts' Guide to OS/400 and i5/OS Security, co-authored with Patrick Botz from IBM. (Pat will be taking over this column, so look for him in this space next month!) If you have specific questions for which you cannot find the answer, you can submit your security questions for possible answer by me at Search400.com.

It's Never Over

Now for the really bad news: Security is not a one-time event. You can't remediate all of the issues on your system and be done. No, unfortunately, you need to periodically, if not continually, re-evaluate your security configuration settings. Why? Because things change. A new release of OS/400 may provide new tools that help make security configuration easier, or new functionality may be added that will make you re-think your security configuration choices. Or you may install a new third-party application and need to make sure it didn't open up an area of the system you had locked down. Or your company may decide to use your iSeries as a Web server. Or you may open an e-commerce site that accepts credit cards. The list goes on.

My Hopes

My hope is that you understand the need for a strong and robust security implementation. My hope is that I've described things in understandable terms so that you can now easily apply them to your situation and your system. My hope is that you will make intelligent business choices as to what needs to be remediated and what risks your business can afford to take. My hope is that these "Security Patrol" articles have made the task of securing OS/400 a little easier.

Finally, my hope is that, on occasion, I've helped you remember what's really important in life. To quote from the opening line of Rick Warren's best-selling book, The Purpose-Driven Life, "It's not about you." Nor is it about making sure the upgrade to i5/OS goes smoothly, nor is it about making sure your new application gets into production on time, nor is it about getting promoted. Each year, I am reminded that things other than my work should be taking priority in my life--family, friends, and my faith in Jesus Christ. This Christmas, I encourage you to take time to carefully examine your priority list, checking it twice to make sure that it's truly in the right order.

Carol Woodbury is co-founder of SkyView Partners, a firm specializing in security consulting, remediation services and security assessments, including the product, SkyView Risk Assessor for OS/400 and i5/OS. Carol has over 14 years in the security industry, 10 of those working for IBM's Enterprise Server Group as the AS/400 Security Architect and Chief Engineering Manager of Security Technology. Look for Carol's second book, Experts' Guide to OS/400 and i5/OS Security.

Carol can be reached at This email address is being protected from spambots. You need JavaScript enabled to view it..

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: