Real-Time Alerts for CL Command Execution

< Real-Time Alerts for CL Command Execution

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i April 22, 2015 - Vol 5, Issue 5

	Feature Article Real-Time Alerts for CL Command Execution By Dan Riehl - SecureMyi.com Do you want to be alerted when someone tries to restore objects onto your system? Or maybe you want to know when someone starts up a TCP/IP server, or changes a System Value. You can do this using Control Language Command Exit Programs. In part one of this series on CL Command Exit Programs the focus of the article was the exit points available for CL commands, and dealt quite specifically with the Command Analyzer Change Command exit point. As noted in that article, there is another Command Exit Point that may be used to monitor and audit commands as they are executing. This is the Command Analyzer Retrieve Command exit point. This capability allows you to capture commands as they execute and do something with the information collected. Unlike the Command Analyzer Change Command exit point discussed earlier, the Retrieve Command exit point does not allow you to send information back to the command analyzer. This seemingly limits the capabilities of this Exit Point to be a logging and auditing Exit Point only. We'll see additional undocumented capabilities in Part 3 of this series on the CL Command Exit Points. The example program supplied in this article is called whenever someone executes the *Restore Object(RSTOBJ)* command. It retrieves the command information and records the entire RSTOBJ command string and other useful information in the system's QHST history log, and also sending an alert message to a Message Queue named Restore. You could certainly do other things with the command string data, but the purpose of this simple example is to illustrate the process of being able to create real-time alerts by creating and registering the CL Command Exit Program. The Command Analyzer Retrieve Exit Point Each IBM supplied exit point has an assigned name and an exit point interface. The exit point interface is a list of parameters the command analyzer exchanges with your exit program. The name of the exit point for the Command Analyzer Retrieve Command exit point is QIBM_QCA_RTV_COMMAND. This exit point occurs after the command analyzer has done much of its work, but before control is passed to the Command Processing Program(CPP). Since our exit program is called before the CPP, the exit program cannot predict whether the command will complete normally or abnormally. It only knows that the command is being attempted, with no knowledge of, or potential impact on, the outcome of the command processing program(i.e. whether the operation will fail or succeed). The name of the exit point interface for this exit point is named RTVC0100. This exit point interface is similar to the CHGC0100 interface discussed in the previous article. The exit program is not passed the RTVC0100 interface in separate parameters, but as one big lump of data. Your program needs to parse out the individual data elements of the RTVC0100 parameter which is illustrated in Figure 1. *Read More and get the working example Exit Program*
In This Issue Featured Article - Command Exit Programs Security Shorts - Authority for New Objects Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Software Engineering of America Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification

Security Related News for IBM i Cilasoft Announces New Functionality in CENTRAL Cilasoft has introduced CENTRAL, a software solution that gives IT managers a unified view of security related information across multiple systems/partitions, while also providing functionality for data-set distribution and command execution across multiple IBM i environments from a central system. See More Info in the Press Release Kisco Releases SafeNet/i V10.25 Kisco Information Systems has introduced a new version of it's popular Safenet/i Network Exit Point Software. The new release features context sensitive source IP address controls, enforcement for Telnet SSL connections and a new auditor read-only access feature. See More Info in the Press Release Live Security Related Webcasts and Training for IBM i April Events 2015 COMMON Conference and Expo - Anaheim, CA COnference and Expo - April 26-29 More Information and Register to Attend Live Hands-On - Expanded System Operations Workshop for IBM i, iSeries, AS/400 with Dan Riehl Training Workshop - April 27- May 1 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend May Events Coffee with Carol: When Management Turns its Back on Security with Carol Woodbury Live Webcast - Presented by Skyview Partners Thursday, May 7 - 10:00am CDT More Information and Register to Attend Live Hands-On - Introduction to RPG IV Programming Workshop with Dan Riehl Training Workshop - May 11-15 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - May 18-22 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend June Events Live Hands-On - Security and Vulnerability Assessment Workshop for IBM i with Dan Riehl Training Workshop - June 2-5 - Presented by SecureMyi and The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries, AS/400 Expanded Security Workshop with Dan Riehl Training Workshop - June - TBD - Presented by SecureMyi and The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend
Security Shorts Assigning Object Authority to Newly Created Objects By Dan Riehl - SecureMyi.com When you create a new file or program, you have the option of specifying the authority to the new object. But we typically do not specify that authority. Each CL command used to create objects has the parameter Authority (AUT), which is used to specify the PUBLIC authority for the new object. For most of us, we do not even see the AUT parameter because we seldom prompt the CRTxxx commands. Even if you do prompt the CRTxxx commands, the AUT parameter is usually the very last parameter in the long list. We seldom get that far in the prompt. Understanding CRTAUT and LIBCRTAUT For almost all object types, the CRTxxx command uses the default value AUT(LIBCRTAUT). This value LIBCRTAUT is specified to assign the new object authority based upon the library in which it is created. So for one library, the value LIBCRTAUT may mean AUT(CHANGE), for another library it may mean AUT(EXCLUDE), depending all on the library's CRTAUT value. The CRTAUT setting for a library can be set explicitly, or can be derived from the System Value QCRTAUT, which ships from IBM with a value of CHANGE. Allowing the QCRTAUT System Value to determine the CRTAUT value for your sensitive program and data libraries is usually not what you want. When you create or change a library (CRTLIB, CHGLIB), one of the parameters is Create Authority (CRTAUT), as shown in this command to create a library: *CRTLIB LIB(MYLIBRARY) CRTAUT(EXCLUDE)** When the library's CRTAUT value is EXCLUDE, new objects created within the library will be set to PUBLIC AUT(EXCLUDE), based upon the CRTAUT of the library. Note:* Be careful to specify the correct CRTAUT for your libraries, since CRTAUT(SYSVAL) is the default value when initially creating a Library. Overriding the Library's CRTAUT Value You do not need to accept the CRTxxx command default of AUT(LIBCRTAUT). You can specify the authority for the object as needed, as in the following command to Create a Data Area: *CRTDTAARA DTAARA(MYLIBRARY/MYDATA) TYPE(CHAR) LEN(100) AUT(USE)* Here, the CRTAUT value of MYLIBRARY is not considered, and the data area is assigned PUBLIC AUT(USE) authority. Using an Authorization List When setting the value for a library's CRTAUT parameter, the name of an authorization list can be assigned, as shown here on the Change Library (CHGLIB) command: CHGLIB LIB(MYLIBRARY) CRTAUT(MYAUTL) Then, when a new object is created in the library, the new object will be secured by the MYAUTL authorization list. This assumes that we accepted the default value on the CRTxxx command of AUT(LIBCRTAUT) or that we specified AUT(MYAUTL). Using an authorization list to assign the authority for a newly created object gives you some nice flexibility. You are not limited to only assigning PUBLIC authority, but when using an authorization list, you can assign all private authorities to the object at the time the object is created. Object Ownership: The Gotcha The only gotcha when it comes to assigning authority to a new object is that the object will be owned by the creator or by the creator's primary group profile. The owner will have *ALL authority to the new object, which might not be what you want, especially if you are securing the new object with an authorization list. In these cases, you will need to develop a method to reassign the ownership of the new object. I'd be anxious to hear your ideas on the best way to set the exact authority that you want on a newly created object when the creator/owner should not have a distinct authority to the object. I am one who believes that most objects types should be owned by an "owning" profile, whose sole purpose for existence is to own objects. For example, create the user profile PRODOWNER. Assign PRODOWNER as the owner of your production objects. This owning profile PRODOWNER is not a group profile. It is simply a profile to own objects. This works great until someone creates a new object, which makes them (or their primary group) the owner of the new object, and not PRODOWNER.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops Security and Auditing Workshops System Operations Workshops System Administration and Control ILE RPG IV Programming ILE COBOL Programming Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2015 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017