SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - July 10, 2013 - Smart Security for Sensitive IBM i CL Commands

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i July 10, 2013 - Vol 3, Issue 32

	Feature Article Smart Security for Sensitive IBM i CL Commands By Dan Riehl - SecureMyi.com Several IBM supplied Control Language commands have restrictions on their use. Commands like CRTUSRPRF(Create User Profile) and CHGUSRPRF(Change User Profile) require that the user have, at the minimum, SECADM special authority. Other commands like PWRDWNSYS(Power Down System) and ENDSBS(End Subsystem) can only be used by users with JOBCTL special authority. Most commands, however, are available for use by any user on the system. Commands can be run directly from the command line, executed from within a program or batch job stream, or can be run through network interfaces like RMTCMD(Remote Command), FTP and ODBC/JDBC(using the QCMDEXC program). Each command has an attribute that specifies whether limited capabilities users can enter the command at the command line. A user is identified as 'limited' if their user profile specifies *LMTCPB(YES). There are only a handful of commands that allow 'limited' users to run the command at a command line. These are commands like DSPJOB(Display Job) and DSPMSG(Display Messages). We consider 'limited capability' users as being restricted from using the command line. In reality, they CAN enter commands at a command line, as long as the particular command allows for it. For more information, see our Youtube Video on Misconceptions about the Limited Capabilities attribute on a User Profile*. Since there are so many different methods to run commands, and so many different types of user capabilities and special authorities, it is important to tightly control some of the more powerful and sensitive commands. On most systems, a majority of the users have JOBCTL special authority. I have heard countless reasons for this configuration debacle, which I will not rehash here. The point here is that the powerful commands available to these users must be controlled. The ability to use commands like PWRDWNSYS, ENDSBS and ENDSYS should not be available to every user with JOBCTL, but should be restricted to a very small group of users. Read More*
In This Issue Featured Article - Securing CL Commands Security Shorts - Changing Journal Options Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i July Events Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i with Dan Riehl Full Length Training Workshop - July 10-11 Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i Security and Vulnerability Assessment Workshop for IBM i with Dan Riehl Full Length Training Workshop - July 15-18 Dan Riehl presents this 3.5-Day Live Online Hands-on Workshop. More Information and Register to Attend Get your FTP Server into Compliance Live Webcast - Presented by Linoma Software Thursday, July 18 Noon CDT More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Full Length Training Workshop - July 23-26 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend An Introduction to PCI Compliance on IBM Power Systems Live Webcast - Presented by PowerTech Thursday, July 24 1:00pm CDT More Information and Register to Attend August Events Live Hands-On - Expanded Control Language Programming Workshop with Dan Riehl Full Length Training Workshop - August 19-23 Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend September Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Full Length Training Workshop - September 9-13 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend COMMON 2013 Fall Conference and Expo Three Day Conference and Expo - September 9-11 Renaissance Grand St. Louis � St. Louis, Missouri More Information and Register to Attend

Security Shorts Changing Journaling Options on the Fly By Dan Riehl - SecureMyi.com A while back, I was confronted with a task in which I needed to change the journaling characteristics of a physical file. The file was being journaled with AFTER images only, and I needed to change the journaling option to capture BOTH the before and after images of database record changes. I suspected I would need to end journaling of the file and then start journaling (STRJRNPF) with the BOTH (before and after images) option. I didn't know all the ramifications that the stop and start would have, but I knew that I wanted to avoid it if possible. I was unaware of any way to do this. So I needed to check whether there was a way to change the journaling characteristics without ending the journaling of the file on a live system. I used the CL command GO CMDJRN to review commands that relate to journaling, and I found the Change Journaled Object (CHGJRNOBJ) command. I prompted the command (F4) and pressed F1 to review the command help text. It turns out that the command was exactly what I was looking for. The CHGJRNOBJ command was introduced by IBM back in OS/400 V5R3. Here's a snippet from the command online help text from IBM. The Change Journaled Object (CHGJRNOBJ) command changes the journaling attributes of a journaled object without the need to end and restart journaling for the object.* *The command can be used to change the Images (IMAGES) value for a database file (FILE) or a data area (DTAARA) object without the need to end and restart journaling for the object.* The command can be used to change the Omit journal entry (OMTJRNE) value for a database file (FILE), an integrated file system stream file (STMF) or directory (DIR) object without the need to end and restart journaling for the object. Only one journaling attribute can be changed at a time.* Because I needed to change the IMAGES attribute from AFTER to BOTH, I used the command: *CHGJRNOBJ OBJ((MYLIB/MYFILE FILE)) ATR(IMAGES) IMAGES(BOTH) Then, in order to omit the Open and Close journal entries I used the command: CHGJRNOBJ OBJ((MYLIB/MYFILE FILE)) ATR(OMTJRNE) OMTJRNE(OPNCLOSYN)* As the help text says, you can change only one attribute per execution of the command--thus the need to run the command twice, once for each attribute to be changed.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017