November 22, 2011 - Vol 1, Issue 4
Townsend Security - Automatic Encryption - NIST Certified for IBM i
Townsend Security - Automatic Encryption - NIST Certified for IBM i




Security Workshop and Operations Workshops presented by The 400 School, Inc and SecureMyi.com

Feature Article

Customizing the IBM 'Create User Profile' Process
by Adding Your Own Logic

By Dan Riehl

When creating User Profiles on the IBM i, whether through a Control Language command like Create User Profile (CRTUSRPRF) or through the IBM i Navigator for windows interface, you have the option to include your own customized processing after the profile is created.

IBM has established and documented an "exit point" for the Create User Profile operation. An exit point is a place in the process in which you can include your own custom logic (i.e. an exit program) to perform additional tasks—in this case, when a user profile is created.

Here are some examples of some useful functions that can be performed in the Create User Profile exit program:

  • Change the owner of the newly created user profile to QSECOFR
  • Add the user to the System Distribution Directory (WRKDIRE, ADDDIRE))
  • Send the information about the new user profile to another system
  • Set the new password and password expiration interval to a mandated initial value and set the status and other profile attributes. (You can set any user profile attribute in the exit program.)
  • Create a current library and home directory for the new user
  • Add the user to your own Business Application Menu system

Over the years I have advocated that all user profiles that we create should be owned by QSECOFR and that no user should have private authorities to other users' profiles.

The October 25th issue of the SecureMyi Security Newsletter presented a YouTube Video that explains the vulnerabilities when your user profiles are not secured correctly and not owned in accordance to best security practices for IBM i.

Presented here is a simple program that can be used as an exit program that will enforce the policy that all newly created user profiles will be owned by QSECOFR. You can add your own logic and rules as needed to support your policy.

Read More.

In This Issue

Featured Article - Customize CRTUSRPRF

Featured Video - Using Authorization Lists

Security Shorts - Watch out for CHGPRF!

Industry News and Calendar

Security Resources


Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives



Please Visit Our Sponsors


Platinum Sponsor
      Townsend Security


Gold Sponsors
      Vault 400

      Skyview Partners, Inc.

      The 400 School, Inc.

IBM i Security and Audit Resources

Free Security Videos from Securemyi.com

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification






Follow securemyi on Twitter




Follow securemyi on YouTube
Carol Woodbury gives you seven quick tips for passing your audit. Download her white paper now! Brought to you by SkyView Partners



Are you Stuck in the 70s with your Tape Backup Solution. Go to Vault 400, and check out the Modern Alternative

IBM i Security News Bytes

Arpeggio Software
Arpeggio Introduces IBM i Security Monitoring Solutions
Arpeggio Software, a provider of security software solutions for the IBM i announces the release of SIFT-IT Free Edition. The SIFT-IT family of software enables companies to monitor the IBM i for important events and take action in real time.


The 400 School, Inc. and SecureMyi.com
Live Online Security Workshop from The 400 School and SecureMyi.com
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
Jan 17-20, 2012. Very limited seating. Register early to reserve your seat in the class.



IBM i Security Calendar of Events

Live Security Webcasts for IBM i

Maintaining PCI 2.0 Compliance—Infrastructure required for PCI continuity
with Mel Beckman - Sponsored by Enforcive
Thursday, December 1, 2011 12:00 p.m. ET / 9:00 a.m. PT
More Information and Register to Attend

Automating IBM i Security Administration Tasks including Compliance
with Carol Woodbury - Sponsored by Skyview Partners
Wednesday December 7, 2011 11:00 a.m. ET / 8:00 a.m. PT
More Information and Register to Attend


More Security Events

Jan 17-20 - The 400 School - Live Online Security Workshop

May 6-9 - COMMON-A User Group - Annual Conference and Expo - Anaheim, CA


Townsend Security - Automatic Encryption - NIST Certified for IBM i




Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Featured YouTube Educational Video

IBM i Security - Common Misconceptions - Using Authorization Lists

Featured Video - IBM i Security - Common Misconceptions - Using Authorization Lists

Cannot Access YouTube from your office? Download the video in wmv format.   Click to Download the wmv file
Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security, and be entered to Win a $500 Best Buy Gift Card!

Security Shorts - Watch out for CHGPRF!

Did you know that your end users and IT staff members can change their own user profile?

Just like users can run the CHGPWD(Change Password) command to change their own password, they can run the CHGPRF(Change Profile) command to change their own user profile.

Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc.

The CHGPRF command ships from IBM as *PUBLIC use, so it is available for general use. As you might suspect, the user must have at least *USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes.

Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(*PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(*YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile.

You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(*YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command:

RMTCMD     CHGPRF   INLMNU(MAIN)   JOBD(QGPL/HIGHPRI)   TEXT('I am so cool')

The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity.

My recommendation to you is to change the object authority of the CHGPRF command to make it *PUBLIC AUT(*EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts


Now Accepting Credit Cards

Introduction to COBOL for IBM i - Dec 5-9
System Operations Workshops - Dec 12-16
Interactive RPG IV Programming - Jan 9-13
Expanded Security Workshop - Jan 17-20
Interactive COBOL Programming - Jan 23-27


Where else will you Find LIVE training in COBOL for the IBM i, iSeries and AS/400?  The 400 School, Inc.
Are you Stuck in the 70s with your Tape Backup Solution. Go to Vault 400, and check out the Modern Alternative

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2011 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017