SecureMyi.com Security and Systems Management Newsletter for the IBM i                 June 12, 2013 - Vol 3, Issue 30
Live Online Workshops - from The 400 School

Security Study

Security? See how SKYVIEW PARTNERS can help!

Feature Article

What is an Exit Point? And How do I Write Exit Programs?

By Dan Riehl

Is There a Security Problem with IBM i?

The IBM i security architecture is VERY robust when we take the time to properly configure our user applications and system settings.

However, security exposures can be introduced by network-data-access tools like FTP and ODBC, but these do not indicate a failing on the part of IBM i security. Rather, the object level authority(i.e. permission) you provide to a user for "green screen" access using menus and textual screens is usually not the same authority you want to allow using network tools like FTP and ODBC.

The same object-level authority that enables a user to view the contents of the Payroll file is the same authority needed to download the file to a PC and post the content on the Internet. IBM recognized the potential areas for abuse and has provided an "Exit Point" facility to let you audit and control these sensitive network access points.

One important point on the need for Exit Programs is that without an Exit Program in place, the IBM i operating system provides NO LOGGING of access when tools like FTP are used. There is no FTP Log. So, Who downloaded your most sensitive file today? There is no way to know. Given that fact, Exit Programs that can audit and control server activities are an essential requirement for security and compliance.

This article describes how you can audit and control access using Exit Programs. I'll specifically show you an Exit Program, written in Control Language, that you can use to audit and control the FTP server Logon process for the IBM i.

What exactly is an Exit Point?

An exit point is simply a point in an application at which the application can optionally call an external program to perform customized processing. The IBM i FTP logon server application includes an exit point where you can hook your own program into the FTP logon processing logic to control who can log on and what will occur when a logon attempt is made. To tell the FTP server that you have an exit program, you use the WRKREGINF (Work with Registration Information) or ADDEXITPGM (Add Exit Program) command. We'll see the actual ADDEXITPGM command shortly.

Once you have registered your exit program, whenever a user attempts to log on to the FTP server, the server finds your program that's registered for the exit point, then calls your exit program, passing as parameters information about the user who's logging on. Your exit program then processes that information and takes the appropriate action, according to the security rules you implement in the exit program. Upon return, your exit program passes back a flag to either ACCEPT or REJECT the logon attempt.

Let's look at an example to help clarify what a simple exit program can actually perform and how it interacts with an IBM supplied server process.

Read More

In This Issue


Featured Article - Using Exit Programs

Featured Video - Worms Virus & Malware

Security Shorts - Logon with No Password?

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i? Visit RZKH.de

Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    The PowerTech Group

    Skyview Partners, Inc

Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

John Earl Memorial Tribute - Jan 2013

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


Open Security Foundation - DataLoss DB

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter




Follow SecureMyi on YouTube






Security software

IBM i Security Calendar of Events


Live Security Related Webcasts and Training for IBM i

Top 5 Single Sign-on Myth-Buster Myths
with Patrick Botz

Live Webcast - Presented by Skyview Partners
Wednesday, June 12 10:00am CDT
More Information and Register to Attend

Developing Secure Applications
Live Webcast - Presented by PowerTech
Wednesday, June 12 1:00pm CDT
More Information and Register to Attend

IBM i Encryption Simplified with DB2 Field Procedures
Live Webcast - Presented by Linoma Software
Thursday, June 13 Noon CDT
More Information and Register to Attend

Logging for Compliance & SIEM Integration for IBM i
Live Webcast - Presented by Townsend Security
Wednesday, June 19 Noon CDT
More Information and Register to Attend

5 Must-Control Access Points for Optimum IBM i Security and Compliance
with Guy Marmorat - President Cilasoft

Live Webcast - Presented by Cilasoft Security Solutions
Thursday, June 27 Noon CDT
More Information and Register to Attend

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Full Length Training Workshop - June 17-21
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 10-11
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 15-18
Dan Riehl presents this 3.5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Get your FTP Server into Compliance
Live Webcast - Presented by Linoma Software
Thursday, July 18 Noon CDT
More Information and Register to Attend

Live Hands-On - Expanded Security Workshop for IBM i
with Dan Riehl

Full Length Training Workshop - July 23-26
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

COMMON 2013 Fall Conference and Expo
Three Day Conference and Expo - September 9-11
Renaissance Grand St. Louis St. Louis, Missouri
More Information and Register to Attend


Security? See how SKYVIEW PARTNERS can help!





Featured YouTube Educational Video

IBM i Security

Is IBM i Vulnerable to Virus, Worms and other Malware?

Featured Video - IBM i Security - Is the IBM i Vulnerable to Virus, Worms and other Malware?

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Live Online Workshops - from The 400 School

Security Shorts -

Logon to the IBM i   -   No UserID or Password Required

By Dan Riehl

Did you know that it may be possible to logon to your IBM i using a non-existent UserID and no password?

One such method is by using a variant of "Anonymous FTP". Anonymous FTP is typically implemented in such a way that the FTP user logon prompt is answered with a userID of ANONYMOUS, and the password prompt is replied with an email address like user@mydomain.com. The user is then logged-on and is typically restricted to sending or receiving files from a PUBLIC directory. Some companies use this ANONYMOUS FTP technique to allow public downloads of product manuals, software fixes, public documents, etc.

You can implement ANONYMOUS FTP on the IBM i by writing or buying specialized FTP server exit point programs that interface with the IBM i FTP server.

In order to implement this ANONYMOUS FTP logon, the exit program attached to the FTP logon process must instruct the FTP server to bypass UserID and Password checking. ANONYMOUS and user@mydomain.com are typically not a valid IBM i UserID and Password combination.

With this in mind, it is possible for an FTP LOGON exit program to completely circumvent the security of your system. If a nefarious technician can add an exit program to your FTP server Logon process, that program could potentially allow a non-existent UserID to logon through FTP as a system administrator with *ALLOBJ authority without providing a valid UserID or Password.

In the above Feature Article "What is an Exit Point?", I discussed the FTP server Logon exit point program. In that article you can glean the information needed to allow a user to bypass user and password checking, and to redirect the server to logon a user as any valid user profile including powerful *ALLOBJ system administrator users.

This information is also available in any article or document that discusses the implementation of ANONYMOUS FTP on the IBM i. The purpose of the Feature Article was to show how to audit all FTP logon attempts and to sound the alarms when a suspicious Logon attempt occurred.

Protect your System!

Since the FTP logon exit program can bypass user and password checking, you must be vigilant in protecting the exit point as well as the other network logon exit points from rogue programs.

To check to see if there may be an FTP Logon exit program in place on your system, use the command WRKREGINF(Work with Registration Information) and find the entry for the Exit Point named QIBM_QTMF_SVR_LOGON. This is the exit point for the FTP server Logon process. Select option 8 to see if a program is registered for this point. If a program is listed, you need to make sure you know exactly what the program is doing. If you do not know what the program is, or what it is doing, you really need to find out, or remove it until you can verify what it is.

Note: If you are running a commercial network exit point product, there will be a program listed here. If you remove the program from the exit point, you may be removing some protections and auditing capabilities that are provided by the security software vendor's exit program.

If you want to monitor your system for any changes to the system exit point program registry, you can turn on auditing for any changes to the exit points. This will allow you to monitor for the addition or change of any exit point programs.

For information on how to audit the exit point program registry see my article 'Who Removed My Registered Exit Program' in the Security Shorts section of the January 4, 2012 issue of the SecureMyi Security Newsletter.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert IBM i Security Consulting
IT Security and Compliance Group. LLC


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop





Security? See how SKYVIEW PARTNERS can help!
Live Online Workshops - from The 400 School


Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2013 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017