SecureMyi.com Security and Systems Management Newsletter for the IBM i             November 12, 2014 - Vol 4, Issue 19
Security Training from Skyview

The SecureMyi Newsletter will be taking a Holiday for Thanksgiving Week and will return on December 10!

Have a Wonderful Thanksgiving Holiday!



Security software from Powertech



Skyview Partners



Training from The 400 School

Feature Article

Create User Profile - Forcing Policy on IBM i

By Dan Riehl - SecureMyi.com

When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for Windows interface, you have the option to include your own customized processing when the profile is created. Through this customised processing, you can help enforce your security policy regarding the creation of User Profiles.

In the October 22, 2014 issue of the SecureMyi Security Newsletter, I presented an article on how a simple flaw in the creation of a User Profile could render the profile as vulnerable to being "hijacked". The article presented here will provide you with a tool that will allow you to enforce strict policy on the creation of User Profiles so that newly created profiles will not be subject to that User Profile simple flaw.

IBM has established and documented an "Exit Point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks. In this article we will examine adding your own logic to the Create User Profile process.

There are two operations that must be performed when implementing any exit program. The first is to create the exit program, the second is to register your exit program with the operating system, which "turns ON" your custom logic. We'll discuss how to perform both of these steps.

The Exit Program

The exit program can be written in just about any language: CLP, CLLE, CLE, RPG, RPGLE, CBL, etc. It can be an ILE(Integrated Language Environment) program or an OPM(Original Program Model) program.

In this sensitive task of adding logic to the Create User Profile operation, you'll want to make sure that the exit program is secured against potential abuse. Only give *USE authority to those users that create your user profiles, *PUBLIC authority should be set to *EXCLUDE.

The exit program runs within the same job as the Create User Profile function. So the current user of the job that is creating a new user profile will also be the user running the exit program. and so must have authority to the program.

When Using Adopted Authority to Create User Profiles

Some organizations do not assign powerful special authorities to the users that create and maintain User Profiles. Instead, they use an adopted authority scheme which allows the users to temporarily assume the authority of a more powerful user through an operating system feature called Program Adoption of Authority.

One important technical issue about your Create User Profile exit program is that if the job that is creating the new user profile is running under adopted authority, that adopted authority is NOT passed to the exit program.

So, if your Create User Profile exit program is going to perform sensitive operations,(e.g., change the new user's password, change the owner of the profile, registering the user in the distribution directory), the exit program itself must adopt the authority of a powerful "Security Officer" type user profile. To accomplish this, change the owner (CHGOBJOWN) of the exit program to QSECOFR(or other powerful user) and specify the USRPRF(*OWNER) parameter on the CRT**PGM command that is used to create the exit program. These actions will cause your exit program to temporarily adopt the authority of the powerful user profile, supplying the ability to perform actions that would otherwise be restricted.

(Note: If your users that create user profiles have powerful "Security Officer" type user profiles, you do not to be concerned about the adopted authority issues presented here. This is only for cases in which adopted authority is being used to provide access to the Create User Profile function.)

Read More . .

In This Issue


Featured Article - Create User Profile Exit

Featured Video - Virus Worms Malware?

Security Shorts - Who's in that Group?

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech

Featured YouTube Educational Video

IBM i Security

Is the IBM i Vulnerable to Virus, Worms and other Malware?

Featured Video - IBM i Security - Is the IBM i Vulnerable to Virus, Worms and other Malware?

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Security news and Events


Security Related News for IBM i

Skyview Partners Announce "Deep Dive" Security Training for IBM i - Las Vegas, NV
Skyview Partners announces its Annual "Deep Dive" Security Training for 2015.
Skyview's own Carol Woodbury will be presenting this "Deep Dive" into IBM i Security. The Two-Day Training Event will be held in Las Vegas, NV on January 27 and 28th.

For More Information and to Register to Attend


Live Security Related Webcasts and Training for IBM i

November Events

An Introduction to PCI Compliance on IBM Power Systems
Live Webcast - Presented by Powertech
Wednesday, Nov 12 10:00am CT
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - Nov 17-21 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

December Events

Coffee with Carol: Using the "Newer Clients" for Accessing IBM i
      Good for Security or Not?
with Carol Woodbury and IBM's Tim Rowe

Live Webcast - Presented by Skyview Partners
Wednesday, Dec 3 9:30am CDT
More Information and Register to Attend

January Events

"Deep Dive" Security Training - Las Vegas NV
with Carol Woodbury

Live Two-Day Training Event - Presented by Skyview Partners
Location: The Mandarin Oriental Hotel in Las Vegas, NV
Dates: January 27 and 28.
More Information and Register to Attend





Skyview Partners




Skyview Partners
Training from The 400 School

Security Shorts

Who's in that Group? A Quick Look at Your Group Profiles

By Dan Riehl - SecureMyi.com

A member of a Group Profile inherits all authorities and special authorities from their group(s). In order to manage your groups, it's important to know what users are in those groups.

When you need a list of all the users who belong to a particular Group Profile, it's easy to get. Just use the DSPUSRPRF (Display User Profile) command as follows:

DSPUSRPRF USRPRF(GroupProfileName) TYPE(*GRPMBR)

For GroupProfileName, substitute the name of the Group Profile for which you want to list the Group members.

If you want a full system listing of members of all Group Profiles, and the members in each group, you can use the command DSPAUTUSR(Display Authorized Users) as follows:

DSPAUTUSR SEQ(*GRPPRF) OUTPUT(*PRINT)

For a nice GUI look into your users and groups, IBM i Navigator for Windows( aka Operations Navigator) provides the nicest presentation.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming



LIVE Training from The 400 School, Inc


Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices


LIVE Online Hands-On Workshops

ILE RPG IV Programming
ILE COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Auditing Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017