SecureMyi.com Security and Systems Management Newsletter for the IBM i             February 12, 2014 - Vol 4, Issue 2
Security Training from SecureMyi.com

Security software from Powertech


Skyview Partners


Security Training from The 400 School

Feature Article

Checkup - CL Command Security Vulnerabilities

By Carsten Flensburg

Editors Note: This is an encore presentation of this great security utility(source code provided). The utility, written by Carsten Flensburg, is a "must have" for anyone serious about security assessment for IBM i. Oh--And as you'll see, Carsten's code is GREAT!

The IBM i Operating System includes several hundred Control Language(CL) commands, many of which provide access to critical and sensitive system and security functions. IBM puts a lot of effort into restricting access to these commands by setting public authority adequately and, if necessary, requires additional user profile special authority in order to successfully execute sensitive commands.

The commandís public or private authority could however for some reason be changed at a later point and so could the commandís Allow limited user attribute, which normally excludes end-users from running most CL commands. Add to this the number of user created commands and 3rd party vendor supplied commands that exist on most systems and youíre looking at quite a challenge in order to manage, monitor and audit access to the CL commands.

Are the CL Commands Created by IBM?

We often assume that all commands in the main operating system library QSYS were supplied to us by IBM. But, how can you be sure? User created commands possibly masquerading as legitimate IBM supplied commands may be implementing malware on your system. WRKCMDSEC can help you detect commands that were not created by IBM.

And the Validity Checking Program(VCP)?

Another area of Security/Audit concern is that a Validity Checking Program(VCP) may have been added to an IBM or Vendor supplied command. This method is used by some to enforce additional command rules or to add some additional logic to a CL command when it is used. A Validity Checking Program may also be used as an insertion point for potential malware.

The WRKCMDSEC command can help you determine if a command has a Validity Checking Program.

Commands for Limited Users

Each CL command(*CMD) definition contains an attribute named ALWLMTUSR(Allow Limited User) that determines if the command can be run at a command line by users that have been created as Limited Capabilities Users (i.e. LMTCPB(*YES)).

IBM ships certain non-intrusive commands like DSPMSG(Display Message) and DSPJOBLOG(Display Job log) as ALWLMTUSR(*YES), thereby allowing Limited Capabilities users to run these commands at a command line. But, for protection, IBM ships almost all CL commands with the setting ALWLMTUSR(*NO), in which Limited Capabilities Users cannot run the commands at a command line.

CL Commands like DLTLIB(Delete Library) and DLTF(Delete File) would be very dangerous in the hands of an end-user, but thankfully these are two of the commands that are shipped from IBM with the attribute ALWLMTUSR(*NO). For more information on the Misconceptions on User Limited Capabilities and Command Line access, see Dan Riehl's article in the July 10, 2012 issue of the SecureMyi Newsletter.

When it comes to a command's Allow Limited User attribute, there are occasions when a software vendor will ship you commands that allow limited users to use those commands. I have also seen occasions when a system administrator has changed the attribute on certain IBM and other vendor supplied commands to enable otherwise restricted users to run these commands at a command line. These commands may cause vulnerabilities when you rely upon a user's command line restriction to prevent them from running CL commands at a command line. Commands that are specified as ALWLMTUSR(*YES) CAN be run by a user that is command line restricted.

Read More and Download the Code

In This Issue


Featured Article - Command Vulnerabilities

Security Shorts - Control Adopted Authority

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


OSF - DataLoss DB

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube


Software from Cilasoft


Security Training from The 400 School
Security Training from SecureMyi.com
Security news and Events


Live Security Related Webcasts and Training for IBM i

February Events

Coffee with Carol: PCI Update
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, February 12 10:00am CDT
More Information and Register to Attend

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - February 24-28
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Reduce the Cost and Effort of IBM i Auditing
Live Webcast - Presented by Powertech - For UK Audience
Thursday, February 27 1400 UK London
More Information and Register to Attend

March Events

Coffee with Carol: I want my Privacy!
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, March 5 10:00am CDT
More Information and Register to Attend

Live Hands-On - IBM i Concepts and Control Language Programming
with Dan Riehl

Training Workshop - March 3-7
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

April Events

Coffee with Carol: Cloud Security Review
with Carol Woodbury

Live Webcast - Presented by Skyview Partners
Wednesday, April 2 10:00am CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Training Workshop - April 8-11
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

May Events

May 4-7 - COMMON - A User Group
2014 Annual Conference and Exposition - Orlando, FL
More Information and Register to Attend


Security software from Powertech

Skyview Partners

Security Training from The 400 School
Security Training from SecureMyi.com

Security Shorts -

Controlling Adopted Authority

By Dan Riehl

IBM has provided the MI built-in function MODINVAU to modify the Adopted Authority attributes of a program's invocation level. In effect, it allows you to control the propagation of Adopted Authority from within a program.

The MODINVAU function has one argument that can contain one of two values:

  • Hex 00 = Don't suppress adopted authority
  • Hex 01 = Suppress adopted authority

If '00' is specified, normal propagation of adopted authority to called programs and subprograms occurs. If '01' is specified, adopted authority is not propagated to called programs and subprograms. Here's an example of using the function in a Control Language program.


 Pgm
    CallPrc    Prc( '_MODINVAU' )   Parm(x'01')
    /* Suppress Adopted Authority */
    Go Main
 EndPgm

This simple program uses the MODINVAU function to flip the invocation authority switch so that any adopted authority is not propagated to subsequent programs. In this case, the program takes us to the menu name MAIN, and adopted authority is not in effect at the MAIN menu. When we exit from the MAIN menu by using F3, we return to the calling program, where any adopted authority is still in effect.

I suggest using this MI function in your application development to achieve more granular control over adopted authority. If a program needs adopted authority, create the program to adopt. But then also use the MODINVAU function to block the adopted authority from traveling down the stack to other programs. It's a much more elegant design than trying to take control of all your programs by using the USEADPAUT(Use Adopted Authority) program attribute.

If your adopting programs don't pass on their adopted authority, many security issues can be alleviated.

You can read more about MODINVAU in the IBM Information Center article on MODINVAU.

For additional information about Controlling Adopted Authority Check out this detailed IBM article.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming








Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

Intro RPG IV Programming
Intro RPG/400 Programming
IBM i COBOL Programming
Interactive Programming Workshops
Introduction to System Operations
Expanded System Operations Workshop
System Administration and Control
Expanded Security Workshop
Control Language Programming
IBM i Concepts and Facilities
Concepts & Control Language
Query Workshop

Security Training from SecureMyi.com

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017