21
Sat, Dec
3 New Articles

Security Patrol: Security Questions & Answers

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Security is an important consideration regardless of the size of your installation. Each month, this column addresses your questions and concerns. To submit an inquiry, use the MC-BBS at (619) 931-9909 or fax me directly at (507) 252-9615. Then, look for your answer in future columns.

The questions and answers in this month's column all deal with spooled files. It is important that you observe the following caveat. Warning: A user with Spool Control (*SPLCTL) special authority is not limited by any restrictions associated with output queues. *SPLCTL special authority allows the user to perform all operations on all output queues. Limit the number of users that have *SPLCTL special authority if you want to secure output queues.

Wayne O. Evans, Chief of Security

Q:My system supports three types of printed output.

o General Output. No restrictions on who can view the printout. o Limited Viewing. Data that can be viewed by a group of users in the sales analysis area but should not be generally available. o Sensitive Output. Payroll information that can be accessed by only the individual responsible for printing payroll.

How can I allow access to some output while limiting the users from gaining access to sensitive output which is waiting to print?

A:You cannot directly grant and revoke authority to view and manipulate a spooled file. The authority to a spooled file is controlled by the parameters on the output queue that holds the spooled file. Unless you control the security of output queues on your system, unauthorized users can display, print-and even copy-sensitive information that is waiting to print.

However, there is a method for protecting confidential output-create a special output queue. You can then send confidential output to that queue and control who can view and manipulate the spooled files on the output queue by authority to the output queue.

The security parameters for an output queue are specified using the Create Output Queue (CRTOUTQ) command or the Change Output Queue (CHGOUTQ) command. The three parameters on the output queue that control security are Display Data (DSPDTA), Authority to Check (AUTCHK) and Operator- controlled Check (OPRCTL). Figures 1, 2 and 3 list the possible values (with defaults underlined) for the DSPDTA, AUTCHK and OPRCTL parameters, respectively. The IBM reference manual explains these parameters in detail; but since they are somewhat complex, it is best to look at an example.

Let's examine the three output queues with different attributes. These examples can be used as a model for your output queues.

1. General-purpose output queue. All users are allowed to display all spooled files. The system operators are allowed to manage the queue and change spooled files.

 CRTOUTQ OUTQ(QGPL/SHARED) + DSPDTA(*YES) + AUTCHK(*DTAAUT) + OPRCTL(*YES) + AUT(*USE) 

2. Access limited to application area. Only members of the sales analysis area that have a group profile of GRPSALES are allowed to use the output queue. Only sales analysis users of the output queue are allowed to display all spooled files. System operators are not allowed to work with the output queue.

 CRTOUTQ OUTQ(SALESLIB/SALES+ OUTQ) DSPDTA(*YES) + AUTCHK(*DTAAUT) + OPRCTL(*NO) + AUT(*EXCLUDE) GRTOBJAUT OBJ(SALESLIB/SALES + OUTQ) OBJTYP(*OUTQ) + USER(GRPSALES) + AUT(*CHANGE) 

Note: If the SALESOUTQ were owned by the group profile GRPSALES, then this Grant Object Authority (GRTOBJAUT) command would not be required.

3. Confidential output queue. This output queue is shared by users printing confidential files and documents. Users can work with their own spooled files only. System operators can work with the spooled files, but they cannot display the contents of the files.

 CRTOUTQ OUTQ(PAYROLL/PAYOUTQ) + DSPDTA(*OWNER) + AUTCHK(*OWNER) + OPRCTL(*YES) + AUT(*USE) 

Q:Does this mean that if I put data on a sensitive output queue I cannot access the data?

A:When you create a spooled file, you are the owner of that file. You can always view and manipulate any spooled files you own, regardless of how the authority for the output queue is defined. You must have *READ authority to add new entries to an output queue. If your authority to an output queue is removed, you can still access any entries you own on that queue using the Work with Spooled Files (WRKSPLF) command.

For audit purposes, some installations attempt to store the job log in a restricted output queue. This is not effective because the user can still use WRKSPLF to delete the job log from a previous session.

Q:I want to give menu-mandatory users a menu option that allows them to view only the spooled files they have created. I do not want users to access the spooled files of other users. I have created a menu option that runs WRKSPLF, limiting output to the current user.

 WRKSPLF USER(*CURRENT) 

This provides users with a list of their spooled files as I intended. Some users have discovered that function key F22 allows them the capability to access the spooled files of other users.

Is there a way to restrict the use of function key F22 from the WRKSPLF screen? I would rather not write a complex program to replace the function of the IBM panel just to prevent a misuse of function key F22.

A:Good news! You are almost there, with no programming changes required. You have a good start.

o The menu-mandatory users have a user profile attribute, LMTCPB(*YES), that prevents the users from entering commands on the command line displayed on most IBM panels. This limits the user to selecting menu options and not entering commands directly.

o You have created a menu option for users that allows them to view their spooled files.

The problem is that the IBM WRKSPLF panel (4) supports function key F22, which allows access to the output of other users.

The problem is that the IBM WRKSPLF panel (Figure 4) supports function key F22, which allows access to the output of other users.

You can restrict function key F22 if you understand how IBM implemented the WRKSPLF panel. Function key F22 uses the Work with Writers (WRKWTR) command to display the output queue for all printers. If you restrict the user's access to the WRKWTR command, the function key cannot be used and the option does not appear on the user's menu.

The command to restrict access to the WRKWTR command is:

 GRTOBJAUT OBJ(QSYS/WRKWTR) + OBJTYP(*CMD) + USER(*PUBLIC) + AUT(*EXCLUDE) 

You will need to grant access to the users who are allowed the function, using this command:

 GRTOBJAUT OBJ(QSYS/WRKWTR) + OBJTYP(*CMD) + USER(user_profile) + AUT(*USE) 

The restriction of authority is only effective if you are running with object- level security. (QSECURITY must be 30 or 40.)


Security Patrol: Security Questions & Answers

Figure 1 Options on the DSPDTA Parameter

 *NO A user cannot display, send or copy spooled files owned by other users, unless the user has one of the following: o *JOBCTL special authority, if the *OPRCTL parameter is *YES. o *CHANGE authority to the output queue, if the *AUTCHK parameter is *DTAAUT. o *ALL authority to the output queue. *YES Any user with *READ authority to the output queue can display, copy or send the data of any spooled file on the queue. *OWNER Only the owner of a spooled file can display, copy, send or move the file. If the OPRCTL value is *YES, users with *JOBCTL special authority can hold, change, delete and release spooled files on the output queue, but they cannot display, copy, send or move the spooled files. This allows operators to manage entries on an output queue without being able to view the contents. 
Security Patrol: Security Questions & Answers

Figure 2 Options on the AUTCHK Parameter

 *OWNER Only a user with *ALL authority to the output queue can change or delete any spooled file. *DTAAUT Specifies that any user with *READ, *ADD and *DLT authority to the output queue can change or delete any spooled file on the queue. 
Security Patrol: Security Questions & Answers

Figure 3 Options on the OPRCTL Parameter

 The OPRCTL parameter determines access of users with *JOBCTL. *YES A user with *JOBCTL special authority can perform all functions on the spooled files, unless the DSPDTA value is *OWNER. If the DSPDTA value is *OWNER, *JOBCTL special authority does not allow the user to display, copy, send or move spooled files. *NO *JOBCTL special authority does not give the user any authority to perform operations on the output queue. Normal authority rules apply to the user. 
Security Patrol: Security Questions & Answers

Figure 4 WRKSPLF Screen

 Work with All Spooled Files Type options, press Enter. 1=Send 2=Change 3=Hold 4=Delete 5=Display 6=Release 7=Messages 8=Attributes 9=Work with printing status Device or Total Cur Opt File User Queue User Data Sts Pages Page Copy XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X X XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X X XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXXX XXX X X F22 CAN SHOW FILES OF OTHER Parameters for options 1, 2, 3 or command USERS ===> F3=Exit F10=View 3 F11=View 2 F12=Cancel F22=Printers F24=More keys 
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: