|
||
|
July 10, 2012 - Vol 2, Issue 12
|
||
|
||
|
Due to the Independence Day Holiday in the U.S. last week, the Newsletter is being Published on July 10, instead of the originally scheduled date of July 4, 2012
Feature Article
By Dan Riehl System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities. Allowing users full command-line access is dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your production customer file. A user who has command line access can run any CL command that he or she is authorized to run. IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here: CRTUSRPRF... LMTCPB(*YES) The common misconception regarding users with limited capabilities( i.e. LMTCPB(*YES) ) is that we think that these users cannot run any ad-hoc CL command, such as WRKSPLF or DLTF CUSTOMER But, in reality, a user with limited capabilities CAN run selected CL commands when provided with a command line. IBM ships certain CL commands with a special command attribute that specifies that limited capability users are allowed to run the command at a command line. These commands include: See the Featured Video in this issue - Misconceptions on User Limited Capabilities |
|
IBM i Security - Top Industry NewsHelp/Systems Acquires Safestone Technologies Ltd.Help/Systems, has completed another major acquisition in the IBM i Security/Compliance space with the addition of Safestone. Only a few years ago, Help/Systems acquired both Powertech and Bytware, two of the top players in the IBM i security/compliance space. Help/Systems has long been a premier software provider for IBM i Operations Automation software with their Robot line of products including the popular Robot SAVE and Robot SCHEDULE. They launched into the IBM i security space in 2007 with the introduction of Robot SECURITY. The later acquisitions of Powertech and Bytware provided the boost to be a top player in the IBM i security/compliance space. With the addition of Safestone, it is clear that Help/Systems now holds the majority market share of IBM i Security and Compliance software installations around the globe. The UK based Safestone has best been known for their DetectIT brand of security and compliance software for the IBM i. In recent years Safestone has broadened their reach past the IBM i space with "Compliance Center for IBM Power Systems" providing support for IBM i, AIX and Linux. In addition to providing AIX technical expertise and mature software products, Safestone brings a large international customer base to the table. "Safestone’s large customer base and years of experience in security are a great fit for PowerTech and Help/Systems," explains Robin Tatam, Director of Security Technologies for The PowerTech Group. "The acquisition of Safestone allows us to retain a leading-edge technology and deliver the most innovative and comprehensive solutions for our customers’ security needs." It is evident that Help/Systems, like other IBM i vendors are looking to AIX to provide important steps for growth. |
||
In This Issue
Quick Links
Please Visit Our Sponsors
Platinum Sponsor |
IBM i Security and Audit ResourcesIBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and ArchivesIBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards 
|
|
IBM i Security News BytesSee The Top Industry News - Above IBM i Security Calendar of Events
|
|
|
Featured YouTube Educational Video
IBM i Security
|
||
|
||
Security Shorts -
By Dan Riehl Did you know that your end users and IT staff members may be able to change their own user profile? Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc. The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes. Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile. You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command: RMTCMD CHGPRF INLMNU(MAIN) JOBD(QGPL/HIGHPRI) TEXT('I am so cool') The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity. My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command. |
Sponsored Links
IBM i, iSeries and AS/400
|
|
|
||
|
||
|
Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com | St Louis MO 63017 |
||
