SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - October 15, 2018 - What is 'User Limited Capability', Really??

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i Issue Date: October 15, 2018

	Feature Article Just what is 'User Limited Capabilities'? Really?? By Dan Riehl - SecureMyi.com In speaking to many security analysts over the years, it is obvious that there is a BIG Disconnect on what the "Limited Capabilities" attribute of the user profile actually does. In this article, I hope to dispel these potentially dangerous misconceptions. In this October 15, 2018 issue of the SecureMyi Security Newsletter, the featured YouTube Video presents a video discussion of this important topic. What IS Limited Capabilities? System users can gain access to the IBM i shell command line through various IBM-supplied screens, including most IBM menus, the Work with Spooled Files (WRKSPLF) command display, the Work with User Jobs (WRKUSRJOB) command display, and numerous other commands and facilities. Allowing users to access a command line can be very dangerous; for example, you don't want users running commands like DLTF CUSTOMER, which would delete your Customer file. A user who has command line access can run any CL command that he or she is authorized to run at the command line interface. IBM allows you to control the ability of a user to run CL commands at a command line by specifying the LMTCPB(Limit Capabilities) attribute of the user profile. To create a user that has limited command line capabilities, you use the CRTUSRPRF(Create User Profile) command as shown here: *CRTUSRPRF... LMTCPB(YES)** The common misconception regarding users with limited capabilities( i.e. LMTCPB(YES) ) is that we think that these users cannot run any ad-hoc CL command, such as WRKSPLF* or DLTF CUSTOMER But, in reality, a user with limited capabilities CAN run CL commands using several methods which we will discuss in this article. Did you know that IBM ships certain CL commands with a special command attribute that specifies that Limited Capability users are allowed to run the command at a shell command line. These commands include: Sign Off (SIGNOFF) Send Message (SNDMSG) Display Messages (DSPMSG) Display Job (DSPJOB) Display Job Log (DSPJOBLOG) Work with Messages (WRKMSG) The Command Attribute ALWLMTUSR You can examine the command definition of a CL command using the command DSPCMD(Display Command). To examine the command DSPMSG(Display Message), you could use the following command. DSPCMD DSPMSG On the resulting display you will see that the command attribute named ALWLMTUSR (Allow Limited Users) is set to the value YES. This setting means that the DSPMSG* command can be used by Limited Capabilities users from the command line. All of the commands in the list above are shipped from IBM with the value *ALWLMTUSR(YES). Generally, all other CL commands are shipped as ALWLMTUSR(NO), prohibiting the use of the commands at the command line by Limited Capabilities users. Each CL command contains the ALWLMTUSR* attribute, but almost all commands have the attribute set to NO, meaning "Do Not allow Limited Capabilities Users to run the command at a command line." This is the system's default value for all newly created commands. But, as a system administrator, you can change any CL command that can be run at the command line to allow limited users to also run the command at the command line. This change is accomplished using the CL command CHGCMD(Change Command), as in the following example: CHGCMD CMD(WRKSPLF) ALWMLMTUSR(YES) Running this command changes the IBM supplied CL command WRKSPLF*(Work with Spooled Files) to allow Limited Capabilities users to run this command at a command line. Often third-party software will install new CL commands that are set to allow limited users to run the commands with ALWMLMTUSR(YES). It's wise to examine any newly created commands to make sure that limited users cannot run the new commands. *Read More for the details*

In This Issue Featured Article - Limited Capabilities? Featured Video - Limited Capabilities?? Security Shorts - Audit The Job Scheduler Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc	IBM i Security Resources IBM Security Incident Response BLOG IBM i Security Videos - from SecureMyi SecureMyi Newsletter Archives Search Security for IBM i - SecureMyi IBM i Security Reference - 6.1 IBM i Security Reference - 7.1 IBM i Security Reference - 7.2 IBM i Security Reference - 7.3 QAUDJRN Journal Entry Types 7.3 QAUDJRN Entry Layout 7.2 QAUDJRN Entry Layout 7.3 QAUDJRN Entries by AUDLVL 7.2 QAUDJRN Entries by AUDLVL 7.3 RedBook - Security Guide for IBM i 6.1 National Vulnerability Database - NIST PCI Security Standards Council COBIT - ISACA HIPAA Resources EU GDPR Information Portal CISSP - Certification
Featured YouTube Educational Video IBM i Security Misconceptions on User Limited Capabilities LMTCPB(*YES)
Live Security Related Webcasts and Training for IBM i October Events Live Hands-On - IBM i, iSeries System Operations Workshop with Dan Riehl Training Workshop - October 22-24 - Presented by The 400 School, Inc. Dan Riehl presents this 3-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries Expanded System Operations Workshop with Dan Riehl Training Workshop - October 22-26 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries Programming Introduction Workshop Concepts and Facilities with Dan Riehl Training Workshop - October 29 - November 2 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend November Events Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - November 5-9 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries Concepts and Facilities with Control Language Programming Workshop with Dan Riehl Training Workshop - November 26 - 30 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend December Events Live Hands-On - Introduction to ILE RPG IV Programming Workshop with Dan Riehl Training Workshop - December 3-7 - Presented by The 400 School, Inc. Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries System Operations Workshop with Dan Riehl Training Workshop - December 10-12 - Presented by The 400 School, Inc. Dan Riehl presents this 3-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop with Dan Riehl Training Workshop - December 13-14 - Presented by The 400 School, Inc. Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - IBM i, iSeries System Administration and Control Workshop with Dan Riehl Training Workshop - December 17-21 - Presented by The 400 School, Inc. Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend

Security Shorts Auditing Job Schedule Changes By Dan Riehl - SecureMyi.com A while ago I received an urgent call from a security services customer. Someone had added an entry to the IBM i job scheduler(WRKJOBSCDE) that caused all user profiles to be DISABLED after ONE day of inactivity. Obviously, several user profiles became disabled. The job schedule entry for this activity is named QSECIDL1, and is added to the job schedule when the command ANZPRFACT(Analyse Profile Activity) is run. This option is available from the SECTOOLS menu. It should be noted that several of the SECTOOLS menu options update entries on the job schedule. The IBM i job scheduler is implemented as an object named QDFTJOBSCD. The object type is JOBSCD. The JOBSCD object type has limited interfaces and does not store the actual schedule in a database file. So, to track changes to the Job Scheduler, you cannot monitor a database file, instead you can audit for update access to the job schedule object using the command: CHGOBJAUD (QUSRSYS/QDFTJOBSCD) OBJTYPE(JOBSCD) OBJAUD(CHANGE)* When this command is used, any update access to the job schedule will generate a journal entry in the QAUDJRN journal. The journal entry type is ZC (Object accesed for change). In addition to auditing the job schedule object, you may also want to start auditing the Control Language commands that are used to manipulate the job schedule. *CHGOBJAUD (QSYS/ADDJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* *CHGOBJAUD (QSYS/CHGJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* *CHGOBJAUD (QSYS/RMVJOBSCDE) OBJTYPE(CMD) OBJAUD(ALL)* And start auditing specific CL commands that update the schedule, like: *CHGOBJAUD (QSYS/ANZPRFACT) OBJTYPE(CMD) OBJAUD(ALL)* When any of these commands are used, a journal entry is written to QAUDJRN. In this case the journal entry type is CD (Command string audit).		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi IT Security and Compliance Group In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Software Selection & Configuration Security and Systems Programming General Security and System Assistance LIVE Training from The 400 School, Inc Customized IBM i (iSeries, AS/400) Training - Presented Live at your offices LIVE Online Hands-On Workshops ILE RPG IV Programming RPG/400 and RPG III Programming ILE COBOL/400 Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2014-2018 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017