SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - December 5, 2012 - The "Hidden" Security Configuration Options

Tweet
December 5, 2012 - Vol 2, Issue 20

	Feature Article The "Hidden" Security Configuration Options of IBM i By Dan Riehl Dan is the Editor of the SecureMyi Security Newsletter and an IBM i Security Specialist for the IT Security and Compliance Group, LLC. Dan also teaches numerous IBM i technical classes, including Security classes, through The 400 School, Inc. Editors Note: The Featured Video in this issue contains additional information on the topic of the "Hidden" Security Configuration Options of the IBM i. There are vast concealed treasures in some of the deep, dark recesses of our wonderful IBM i - hidden configuration options that give you tighter, more customized control. For many of us, these treasures have been elusive, yet they've been so close at hand. Just a click away, a CL command away. IBM hasn't tried to keep these treasures hidden, but, as far as I know, IBM hasn't gone out of its way to educate us about them either. These "hidden" configuration options let you customize access to several security-, system-, and network-related functions through a simple CL command interface or through Navigator for i (Navigator, for short). The CL commands Work with Function Usage (WRKFCNUSG), Change Function Usage (CHGFCNUSG), and Display Function Usage (DSPFCNUSG), are the command interfaces to these "hidden" configuration options. Navigator provides access to these configuration options through a little-known application I discuss shortly. What Is "Function Usage"? Sensitive Control Language commands and system operations are typically restricted to a select group of users through a combination of object authorities (i.e., are you authorized to use the command?) and special authorities (i.e., do you have the special authorities (e.g., SECADM, JOBCTL) required to run this command or function?). Function Usage is an additional hidden layer placed on certain sensitive operations. For example, to create a user profile, a user needs to be authorized to use the command Create User Profile (CRTUSRPRF), and then the CRTUSRPRF command checks whether the user running the command has Security Administrator (SECADM) special authority. If so, the profile can be created. In this case, no additional hidden Function Usage configuration options are involved. When a user wants to examine the active joblog of an ALLOBJ user (e.g., QSECOFR), however, the user must be authorized to the DSPJOBLOG command, must have Job Control (JOBCTL) special authority, and must have ALLOBJ authority. Those are the system's default rules. But by changing the hidden configuration options of Function Usage, you can override the rules to let anyone with JOBCTL special authority view the active joblog of the ALLOBJ user. Because these configuration options are hidden in Function Usage, most of us concede to giving the operations staff ALLOBJ authority. There seems to be no other way of allowing them to view the active joblog of an ALLOBJ user when the job has failed. They must be able to troubleshoot the problem by viewing the active joblog. But we can change the rules by changing the Function Usage. Viewing the JOBLOG of an ALLOBJ User Job IBM maintains a registry of functions that provide "hidden" configuration options via Function Usage. One of the functions, as we've discussed, is the configuration of which users can view the active joblog of an ALLOBJ user job. The registered name of that function is QIBM_ACCESS_ALLOBJ_JOBLOG. Read More.
In This Issue Featured Article - "Hidden" Security Options Security Shorts - Numeric UserID/Password Featured Video - "Hidden" Security Options Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor Cilasoft Security Solutions Gold Sponsor The PowerTech Group Skyview Partners, Inc Sponsor The 400 School, Inc	IBM i Security Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Configuring and Consolidating Real-Time Security Alerts Live Webcast - Sponsored by Powertech Tuesday, December 11 1:00 PM CST More Information and Register to Attend IFS Security: Don't Leave Your Server Vulnerable Live Webcast - Sponsored by Powertech Wednesday, December 19 1:00 PM CST More Information and Register to Attend IBM i Encryption Made Easy with DB2 Field Procedures Live Webcast - Sponsored by Linoma Software Thursday, January 24 12:00 PM CST More Information and Register to Attend SkyView Security Deep Dive Training for IBM i - With Carol Woodbury Live Classroom Training - Presented by Skyview Partners Instructor - Security Expert Carol Woodbury Four Full Days - January 28-31 Location - Seattle, WA - Pan Pacific Hotel More Information and Register to Attend Live 4-Day Hands-On Expanded Security Workshop for IBM i Full Length Training Workshop - February 5-8 9:00am - 4:00pm CST Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend April 7-10 - COMMON - User Group 2013 Annual Conference and Exposition - Austin, TX
Featured YouTube Video Discover and Control The "Hidden" Security Options for IBM i Cannot Access Youtube from your office? Here is the presentation in wmv format.
Security Shorts - All Numeric Passwords and User IDs By Dan Riehl My UserID is 77 and My Password is 123456 Naming rules for the IBM i state that an object name must begin with an alphabetic character including A-Z, #, $, @, and that the remaining characters (up to 10 in total) can contain A-Z, 0-9, #, $, @, _ ,and a .(period). The object names are not case sensitive. However, when it comes to user profile names and passwords, an interesting phenomenon occurs. When we create a user profile, we specify a user profile name and, optionally, we specify a password, as in the following example. (For these examples, we assume a Password Level (QPWDLVL) of 0 or 1, limiting a password to a maximum length of 10 characters.) CRTUSRPRF USRPRF(BOBSMITH) PASSWORD(PASS1WORD5) Now, when the user needs to log on, his user ID is BOBSMITH, and his password is PASS1WORD5. Simple and straightforward. But consider this next example: CRTUSRPRF USRPRF(Q12345) PASSWORD(Q11111) When a user profile is created using this command, the user can actually log on using two different user IDs and two different passwords. It's a bit weird, but let me explain. The user can log on with user Q12345 with a password or Q11111. The user can log on with user Q12345 with an all-numeric password of 11111. The user can log on with an all-numeric user 12345 with a password of Q11111. The user can log-on with an all-numeric user 12345 with an all-numeric password 11111. The secret to this weird support lies in the first character of the user or password being the specific letter Q, followed only by digits. When this is the case, the letter Q becomes an optional part of the user or password during the system logon process. You can view more about this Q digit support by reviewing the F1=Help text of the CRTUSRPRF(Create User Profile) command. As the system administrator, you can enforce policy to disallow the creation of a Q digits user profile, but a user can change his or her password to a Q digits password using the Change Password (CHGPWD) command and/or Change Password API. In order to restrict users from setting their passwords to Q digits (e.g., Q11111), you can either set the system value QPWDLMTAJC to the value 1 or include the value DGTLMTAJC in the system value QPWDRULES*. Either of these settings prohibit the use of adjacent digits in a password when changed by the user.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Special Winter Class Discounts Intro RPG IV Programming - Jan 7-11 Intro System Operations - Jan 14-16 Expanded Operations - Jan 14-18 System Admin & Control - Jan 28-Feb 1 Expanded Security Workshop - Feb 5-8 Concepts & Control Language - Mar 4-8 www.400School.com

Send your IBM i Security Related News and Events! Send your Questions, Comments, Tips and Stories Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017