SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - July 18, 2012 - Top 5 Security Questions by Carol Woodbury

Tweet
July 18, 2012 - Vol 2, Issue 13

	Feature Article The Top 5 Security Questions for IBM i By Carol Woodbury Skyview Partners, Inc. It seems as though wherever I go, some common questions are asked. So I thought I’d take a few moments and answer them for everyone. Here we go (in reverse order.) Question #5: What is primary group authority? Primary group authority was created to accommodate the concept of group authority in UNIX. It was added to OS/400 when IBM added support for the Integrated File System (IFS). All of these functions were added to facilitate porting UNIX applications to run on OS/400. Primary group authority can only be given to a group profile. In addition, only one group profile can be the “primary group” of an object. Primary group authority is very similar to a private authority granted to a group profile. The biggest difference is that the primary group and its authority are stored in the header of the object (vs with the user profile as private authorities are). And primary group authority is checked before any private authorities the group may have; therefore, there is a slight (and I do mean slight) performance gain when using primary group authority. The gain is so small it’s not worth the time it would take to change your security configuration. Question #4: What authority is required to run (name your favorite command)? Appendix D in the IBM i Security Reference lists all of the Control Language commands, along with the authority needed to run each command. The commands are listed by the type of object they act on, for example, user profiles, jobs and so forth. At the end of each command group are notes listing additional requirements, for example, the fact that users running the user profile commands must have SECADM special authority. Question #3: Isn’t adopted authority dangerous and shouldn’t it be avoided? Adopted authority allows you to temporarily grant users the ability to perform a task without having to assign them the authority permanently. Read More...*
In This Issue Featured Article - Top 5 Questions Security Shorts - Restricting System Request Featured Video - Hidden Security Configuration Options Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Thank You To Our Sponsors: Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Sponsor Cilasoft Security Solutions	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes Raz-Lee Security introduces latest security product for IBM i - iSecurity Command iSecurity Command provides the ability to control CL commands, their parameters, origin, context (i.e. the program which initiated the CL command), the user issuing the CL command, etc., and provides easy-to-define ways to react to these situations. According to Raz-Lee Vice President Eli Spitz , "iSecurity Command is the only product that has the ability to refer, for analysis or change, to each part of a complex parameter separately, as well as to the parameter as a whole." More Information and Request a Demo Linoma Software Adds Japanese Firm to Team of Global Partners As Linoma Software continues to expand its global sales initiatives, it has added yet another sales partner to its team. Linoma president Bob Luebbe announced the new partnership with SOLPAC, a leading software and consulting firm based in Tokyo, Japan. SOLPAC will be marketing Linoma Software’s managed file transfer solution, GoAnywhere, to Japan, Thailand, and Vietnam. More Information on the Partnership IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i How to Track Sensitive Database Changes at the Field Level Webcast - Sponsored by Cilasoft Security Solutions and Read Technologies Wednesday July 18 10:00 AM CDT More Information and Register to Attend Configuring and Using IBM i Auditing Functions Webcast - Sponsored by Powertech Thursday July 19 1:00 PM CDT More Information and Register to Attend IBM i: Achieving PCI 2.0 Compliance with Virtual and Cloud Computing iProDeveloper Webcast - Featuring Mel Beckman - Sponsored by Enforcive Thursday July 26 11:00 AM CDT More Information and Register to Attend Live 4-Day Hands-On Expanded Security Workshop for IBM i Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend

Featured YouTube Video IBM i Security - The Hidden Security Configuration Options Cannot Access Youtube from your office? Here is the presentation in wmv format.

Security Shorts - Restricting Access to System Request - SYSRQS By Dan Riehl The IBM 5250 keyboard layout used by the IBM i defines a special key as the System Request (SYSREQ) key. Technicians use this key to perform various tasks including canceling a previous request, displaying information about the current job, sending messages, displaying the QSYSOPR message queue, etc. Here is a snapshot of the System Request menu. System Request System: SECUREMYI Select one of the following: 1. Display sign on for secondary job 2. End previous request 3. Display current job 4. Display messages 5. Send a message 6. Display system operator messages 7. Display work station user 80. Disconnect job 90. Sign off Selection __ F3=Exit F12=Cancel What is the Exposure? While the SYSRQS key does provide some nice capabilities for technicians, in the hands of an end user, or unwitting power user, it can cause some real problems. For example, a user just pressed ENTER to initiate a large series of production database updates, but, then immediately presses SYSRQS, and selects option 2 - to "Cancel the Previous Request". In the middle of this long series of database updates, the request is canceled, causing some of the updates to be applied, but not all. Now, we have a production database that is out of synch. So, the SYSRQS function, especially Option 2(Cancel Request) can cause major damage when used improperly. Restricting Access to SYSRQS I would expect that restricting access to the System Request menu would be a simple matter of restricting access to some IBM program that ran the SYSRQS menu. But, in searching for the answer, I was surprised to learn that IBM's preferred method of restricting access is to restrict access to the Panel Group(Screen Definition) of the menu. See IBM's discussion of this topic in the InfoCenter. See the IBM Software Support Technical Document addressing this topic. The IBM supplied panel group object QGMNSYSR in the QSYS library is the key to restricting access to the System Request function. To prohibit all users on the system from using the System Request function, assign EXCLUDE authority to PUBLIC. *GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(PNLGRP) USER(PUBLIC) AUT(EXCLUDE)** Now when a user that does not have ALLOBJ authority tries to use the SYSRQS function, an authority failure will occur, which will prohibit the use of the function. The error message generated is: CPD2317 - No authority to use system request functions. Cause . . . . . : You tried to use the system request functions but you do not have the authority to do so. To use system request functions, you must have authority to use the panel group QGMNSYSR. Allowing for Exceptions Even if you restrict the SYSRQS function for PUBLIC, you will want to allow technical staff to continue to use SYSRQS. You can assign those users, but preferably group profiles, USE rights to the panel group, as in: GRTOBJAUT OBJ(QSYS/QGMNSYSR) OBJTYPE(PNLGRP) USER(IT_GROUP) AUT(USE)* *Important Note:* Remember to apply the change again each time you upgrade the operating system, since the panel group will be replaced by the upgrade, and your changes will be lost.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards IBM i System Administration Jul 16-20 IBM i Security Workshop Aug 21-24 Concepts & Control Language Sep 17-21 Fall Schedule Coming in Early August

Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017