SecureMyi.com Security Newsletter for the IBM i iSeries and AS/400 - June 20, 2012 - Mysteries of the QUSEADPAUT System Value - IBM i 6.1 Password Difference

Tweet
June 20, 2012 - Vol 2, Issue 11

	Feature Article Mysteries of the QUSEADPAUT System Value By Dan Riehl The QUSEADPAUT system value was introduced several years ago to address the concern that there was no way to keep adopted authority from flowing down the call stack to all subprograms. Whenever a program adopted authority, downstream programs had no way to turn off that adopted authority. A short History of QUSEADPAUT I recall when we, the AS/400 user community, back then, asked IBM for a way to create an adopting program that didn't propagate the adopted authority down the stack. We wanted an attribute we could set in the adopting program that said, "This program will adopt but will not pass the adopted authority to any other program." We wanted to contain the adoption within the adopting program itself and not pass it on. With that functionality, we could control the use of adopted authority very granularly. We could adopt authority in a program that needed additional authority and specify that the program not pass that adopted authority to any called programs. That way we could easily control which programs adopted authority and never worry about the adopted authority being propagated outside of the program. That's what we asked for. When IBM announced its version of the solution as a PTF to version 3.1 of the OS, we were all a bit dismayed. IBM didn't let us stop the propagation within the adopting program; instead IBM let us set a flag in a called program as to whether the called program was going to use the adopted authority passed to it. It was exactly backwards from what we had asked for. I'm sure many of you remember that discussion. We wanted control from within the adopting and CALLing program. IBM supplied USEADPAUT to provide control inside the CALLed programs. I wish IBM had done it the other way. But, IBM ultimately got it right when they released the Built-In MI function MODINVAU, which can be used to stop the propagation of authority outside the adopting program or a program running under adopted authority. See the sidebar "Stop Adoption in the Calling Program using MODINVAU," Read More...
In This Issue Featured Article - Mysteries of QUSEADPAUT Security Shorts - Managing User Profiles Industry News and Calendar Security Resources Quick Links SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Please Visit Our Sponsors Platinum Sponsor Cilasoft Security Solutions Gold Sponsor The PowerTech Group Sponsor Skyview Partners, Inc The 400 School, Inc	IBM i Security and Audit Resources IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security News Bytes LinkedIn Passwords Hacked LinkedIn was recently hacked for possibly millions of member passwords. Details are still emerging. If you have not yet changed your LinkedIn password, I encourage you to do so. In response to the attack, IBM i security and encryption vendor Townsend Security has created a webcast focusing on the LinkedIn password hack and other related incidents. Townsend Security Webcast On LinkedIn Breach Cilasoft Introduces "EAM" - Elevated Authority Manager For IBM i Elevated Authority Manager(EAM) is a software solution that allows you to temporarily provide elevated capabilities to specified users; including reports, alerts, and a full audit trail of activities. More information and Download a Trial Skyview Partners Introduces Managed Services for IBM i and AIX Compliance SkyView Partners announced a new managed service for both the IBM i and AIX platforms. The new service covers monthly compliance monitoring and annual vulnerability assessments and includes licenses of SkyView’s compliance related software. See More Information from Skyview IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Coffee with Carol Step by Step Approach to Implementing Object Level Security Webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners Wednesday June 27 10:00 AM CDT More Information and Register to Attend Live 4-Day Hands-On Expanded Security Workshop for IBM i Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend

Security Shorts - Caveat - Managing User Profiles Under Adopted Authority By Dan Riehl We often use the facility called "adopted authority" to allow a user to perform operations that they have no inherent authority to perform. For example, many of us use adopted authority to allow help desk users to reset a blown password or reset a user status from DISABLED to ENABLED. You can also use adopted authority to allow the help desk to create user profiles or change other attributes of existing user profiles. But there is one major caveat when creating or changing user profiles under adopted authority; adopted authority cannot be used to assign a user to a group profile. As an example, a help desk user runs a program to create a user profile. The program adopts the authority of Security Officer (QSECOFR), temporarily making the user "all powerful." But in order to assign a user to a group profile (or supplemental group profile), the help desk user must have his or her own authority to the group profile being assigned to the user. Adopted authority cannot be used to assign the group. The IBM documentation states that the user creating or changing the profile must have CHANGE and OBJMGT rights to the group profile in order to assign a user to the group and that the authority cannot come from the use of adopted authority. This bothered me, as I did not want to give the help desk users that much authority to groups that they may need to assign. With CHANGE authority, the help desk users would be able to run jobs as the group or otherwise hijack the group. (For more information on this exposure, see my article on "Protecting Your User Profiles.") In my testing, I was able to confirm that I could remove the EXECUTE right for the help desk user to the groups they need to assign, thereby preventing the misuse of the group profiles. So, yes, you assign the help desk users CHANGE and OBJMGT rights to the group profile they need to assign and then remove their *EXECUTE rights, in order to protect the group from being misused. It is interesting that the help desk users can change the other attributes of a user profile while running under QSECOFR adopted authority, but they cannot assign a new group to which they are not authorized. See the IBM support document on this topic.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert Level Security Consulting IT Security and Compliance Group, LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Live Online Hands-On Workshops Special Fall/Winter Class Discounts Now Accepting Credit Cards IBM i System Operations Jun 25-29 IBM i System Administration Jul 16-20 IBM i Security Workshop Aug 21-24


Send your IBM i Security Related News and Events! Advertise in SecureMyi.com Security Newsletter Copyright 2012 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017