SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - August 13, 2014 - Restricting Access to the System Request Function - Why?

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i August 13, 2014 - Vol 4, Issue 13

	Feature Article Restricting Access to the System Request Function - Why? By Dan Riehl - SecureMyi.com The IBM 5250 keyboard layout used by IBM i defines a special keyboard key as the System Request (SYSREQ) key. Technicians use this key to perform various tasks including canceling a previous request, displaying information about the current job, sending messages, displaying the QSYSOPR message queue, etc. While the SYSRQS key does provide some great capabilities for programmers and operations technicians, in the hands of a dishonest or unwitting user, the use of the key can be the cause of some real problems. In this article I'll first discuss the vulnerabilities and problems inherent in the SYSRQS key, followed by instructions on how to restrict access to the key to prevent its use. I highly encourage you to consider locking down the SYSRQS function to only those users who have a demonstrated need to use the function. Here is a snapshot of the System Request menu. System Request System: MYSYSTEM Select one of the following: 1. Display sign on for secondary job 2. End previous request 3. Display current job 4. Display messages 5. Send a message 6. Display system operator messages 7. Display work station user 80. Disconnect job 90. Sign off Selection __ F3=Exit F12=Cancel What are Some of the Main Exposures? The SYSRQS key can be used to acquire a full list of your application libraries and database files, along with the description of each database file, e.g. PAY001P - Payroll Master File. And, in a little known hacking exploit, the SYSRQS key can be easily be used to enumerate all of the users enrolled on the system. *Read More . .*
In This Issue Featured Article - Restrict SYSRQS Key Security Shorts - Your last SAVSYS? Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i Open Security Foundation - DataLoss DB National Vulnerability Database - NIST PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Industry News for IBM i Security Kisco Announces New Release of Password Reset for IBM i Kisco Information Systems has announced Release 2 of iResetMe which is an end-user password reset utility that addresses the issue of re-activating disabled and expired profiles. See the Press Release Live Security Related Webcasts and Training for IBM i August Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Training Workshop - Aug 18-22 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend IBM i Encryption in a Snap! Live Webcast - By IBM Systems Magazine - Sponsored by Enforcive Thursday, August 21 1:00 pm CDT More Information and Register to Attend September Events Live Hands-On - Expanded Security Workshop for IBM i, iSeries AS/400 with Dan Riehl Training Workshop - Sep 8-11 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop with Dan Riehl Training Workshop - Sep 25-26 - Presented by The 400 School, Inc. Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend
Security Shorts When was your last SAVSYS, SAVCFG, SAVSECDTA ? By Dan Riehl - SecureMyi.com Backup and Recovery is an area that is critical to the security and integrity of our systems. If someone accidentally wipes out a file, or in the event of a large scale disaster, it's critical we have all of the pieces needed to recover the file, or the entire system. We typically have a pretty good handle on when we last backed up our User Libraries, our Document Library objects, and the root '/' file system. But what about the last save of the operating system? And what about our user profiles and security data and our system configuration objects? When was that data last backed up? And what tape or other media contains the last backup? When we save a library using the SAVLIB command, objects are marked with the save date and save device information, as long as we specify UPDHST(YES). But when we save the operating system, the objects that are saved are not marked with the save information. The same is true when we save user profiles and configuration data. The saved objects are not updated with the last save date. IBM has supplied some special purpose data areas in the QSYS library that are updated with the save date and save device information when we perform certain save operations. When we save our security data (including user profiles) using the command Save Security Data (SAVSECDTA), the special data area QSAVUSRPRF in QSYS is updated to reflect the save date and time and save device information. Below is a list of various SAVE commands and the associated QSYS data area. Upon execution of the command, the data area is updated. Save Command Data Area Updated* SAVCFG QSAVCFG SAVLIB ALLUSR QSAVALLUSR SAVLIB IBM QSAVIBM SAVLIB NONSYS QSAVLIBALL SAVSECDTA QSAVUSRPRF SAVSTG QSAVSTG SAVSYS QSAVSYS, QSAVUSRPRF, QSAVCFG SAVSYSINF QSYSINF Viewing the Last Save Date and Device To view the last save information, you display the object description (DSPOBJD), you don't display the content of the data area. You can start with the command Work with Objects (WRKOBJ), as shown here: WRKOBJ OBJ(QSYS/QSAV) OBJTYPE(DTAARA)* This command allows you to work with all the data areas in the QSYS library that start with the characters QSAV. This results in the following display: Work with Objects Type options, press Enter. 2=Edit authority 3=Copy 4=Delete 5=Display authority 7=Rename 8=Display description 13=Change description Opt Object Type Library Attribute Text _ QSAVALLUSR DTAARA QSYS S/R DIRECTORY INFO FOR SAVE _ QSAVCFG DTAARA QSYS S/R DIRECTORY INFO FOR SAVE _ QSAVIBM DTAARA QSYS S/R DIRECTORY INFO FOR SAVE _ QSAVLIBALL DTAARA QSYS S/R DIRECTORY INFO FOR SAVE _ QSAVSTG DTAARA QSYS S/R DIRECTORY INFO FOR SAVE _ QSAVSYS DTAARA QSYS S/R DIRECTORY INFO FOR SAVE 8 QSAVUSRPRF DTAARA QSYS S/R DIRECTORY INFO FOR REST Place option 8(DSPOBJD) next to one of the data areas. In the example, we chose QSAVUSRPRF to see when we last saved our security data (including user profiles). Scroll through the resulting list to see the last Save Date, and Save Volume. If you simply want to examine one of the special SAVE data areas, you can use the command DSPOBJD. Here's an example that can be used to display the information on the last time we did a SAVSECDTA. DSPOBJD OBJ(QSAVUSRPRF) OBJTYPE(DTAARA)** While We're Here: Where IS Your SAVSYS? While we're here discussing saving the system and its different pieces, check to make sure you're routinely saving your user profiles and system configuration data. Also check to make sure you have a good SAVSYS backup media handy. You probably did a SAVSYS operation the last time you made a major change to the operating system, like an OS upgrade, or after applying a cumulative PTF package. If you don't have these backups available (SAVSYS, SAVSECDTA, SAVCFG), plan to do a the needed backups as soon as you can. You don't want to be stuck in a recovery scenario needing to go back to the original IBM distribution media. That would be a disaster on top of a disaster.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming Workshop RPG/400 Programming Workshop IBM i COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Audit Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017