September 12, 2012 - Vol 2, Issue 16

Live Online Training from The 400 School


Monitor File Integrity - Powertech


Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Feature Article

Watch out for New Adopting Objects

By Dan Riehl

Adoption of authority is a technology we commonly use within IBM i to allow users to perform operations for which they do not have sufficient authority. For example, resetting a user's password requires a very high level of authority. We do not want to hand out this high authority level to every user that may need to reset a password. So, instead of making the users more powerful, we make a program that is more powerful by allowing the program to adopt, or "temporarily borrow", the authority of a powerful user.

When a program is created, the USRPRF parameter is used to specify that the created program will adopt authority. In the command CRTCLPGM(Create Control Language Program) you specify adopted authority by specifying the parameter USRPRF(*OWNER). Then, when the program is run, the program adopts the authority of the owner of the program, thus enabling the CL program to perform operations that the owner of the program is authorized to do, but the user running the program does not necessarily have the ability to do; like resetting a password, or restoring a library.

Since running a program that adopts authority can increase a user's capability, it is important to make sure that you know which programs adopt authority, and that you especially keep an eye on newly created programs that adopt.

In many cases, programs will adopt the authority of QSECOFR, or of some other very powerful profile. This is seen most often in vendor supplied software, but typically there will be several home-grown programs on your system that will adopt the authority of QSECOFR. You need to know what these home grown programs do, and why they adopt such a high level of authority. These adopting programs can be used as a "back-door" to to circumvent the security controls and file permissions that you have instituted to protect your system.

In order for you to keep track of adopting programs, IBM has supplied the command PRTADPOBJ(Print Adopting Objects). Adoption can occur within a program, a service program, or an SQL package.

When using the command PRTADPOBJ you print a list of adopting programs, and can select to only print the programs that adopt a specified user profile, like QSECOFR. You can also specify to print a list of programs that adopt the authority of any user profile.

The command also has a 'What's Changed?" feature, in which you can print only changes since the last run of the command.

Read More.

In This Issue


Featured Article - Watch Out! Adopting Objects

Security Shorts - Backup All Spooled Files

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de


Thank You! To Our Great Sponsors


Platinum Sponsor
      The 400 School, Inc


Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

Sponsor
      Cilasoft Security Solutions

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1


PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter




Follow SecureMyi on YouTube









IBM i Security News Bytes

Linoma Announces Microsoft Server 2012 Certification

Linoma Software has announced its GoAnywhere suite of secure file transfer products has been certified to work with Microsoft Server 2012.

The GoAnywhere suite is comprised of GoAnywhere Director, GoAnywhere Services and GoAnywhere Gateway. More Information from Linoma.





IBM i Security Calendar of Events



Live Security Related Webcasts and Training for IBM i

Five Must-Do User Profile Management Tasks
iPro Developer Webcast - Featuring Pat Botz - Sponsored by Enforcive
Wednesday, September 12 12:00 PM EDT
More Information and Register to Attend


Secure Managed File Transfer: Meeting Compliance Regulations
Live webcast - Sponsored by Townsend Security
Wednesday, September 12 1:00 PM EDT
More Information and Register to Attend


5 Steps for Implementing Role-based Access on the IBM i
Live webcast - Featuring Carol Woodbury - Sponsored by Skyview Partners
Wednesday, September 20 11:00 AM EDT
More Information and Register to Attend


Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - November 13-16 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend





Monitor File Integrity - Powertech





Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Training from The 400 School

Security Shorts -

Get a Full Backup of ALL of your Spooled Files

By Dan Riehl

Since V5R4 we have had the capability to save the spooled file reports residing in our output queues. Prior to V5R4, when you saved an output queue, or saved a library containing output queues, only the output queue object itself was saved, not the contents(the spooled file reports) in the output queue.

Since the V5R4 upgrade, many of us have not updated our backup routines to take advantage of this new support. Instead, when we save a library or an output queue, we still only save the output queue object, but not the spooled files contained in the output queue.

The following command saves all objects in the PRODLIB library, including all the spooled files in all the output queues that reside in the library:

SAVLIB LIB(PRODLIB) DEV(TAP01) SPLFDTA(*ALL)

When you do a SAVLIB(Save Library) or SAVOBJ(Save Object) command, you must specify SPLFDTA(*ALL) in order to save the spooled files in the saved output queues. The parameter SPLFDTA(*ALL) is the key to saving the spooled files.

I encourage you to update your backup routines to begin saving your spooled files. But, perhaps you are using the IBM supplied SAVE menu to perform your backups, and not a home grown backup program. Or perhaps your vendor supplied backup software does not give you the option to save your spooled files. If that is the case, then here is a simple solution. Below is the source code for a Control Language program you can use that will save all of the output queues on your system and will save all of the spooled files in those output queues. This would be a nice program to add to your weekly backup routine.

Note: In this program you must replace 'TAP02' with the name of your backup device.


            PGM        /* Save Spooled Files  */       
            DCL        VAR(&MSGID) TYPE(*CHAR) LEN(7)     
            DCL        VAR(&MSGF) TYPE(*CHAR) LEN(10)   
            DCL        VAR(&MSGFLIB) TYPE(*CHAR) LEN(10)          
            DCL        VAR(&MSGDTA) TYPE(*CHAR) LEN(100)          
            DCLF       FILE(QADSPOBJ)                             
                                                                   
            MONMSG     MSGID(CPF0000) EXEC(GOTO ERROR)            
                                                                 
            DSPOBJD    OBJ(*ALL/*ALL) OBJTYPE(*OUTQ) +            
                         OUTPUT(*OUTFILE) OUTFILE(QTEMP/QADSPOBJ) 
                                                                   
            OVRDBF     FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ)      
                                                                   
LOOP:       RCVF                                                  
            MONMSG     MSGID(CPF0864) EXEC(GOTO CMDLBL(ENDIT))    
                                                                   
            SAVOBJ     OBJ(&ODOBNM) LIB(&ODLBNM) DEV(TAP02) +     
                         OBJTYPE(*OUTQ) SPLFDTA(*ALL)      
                                                                   
            GOTO LOOP                                                       
                                                                             
ENDIT:      RETURN                                                         
                                                                             
ERROR:      RCVMSG     MSGTYPE(*LAST) MSGDTA(&MSGDTA) MSGID(&MSGID) +       
                         MSGF(&MSGF) SNDMSGFLIB(&MSGFLIB)                   
            MONMSG     CPF0000 /* Just in case */                           
            SNDPGMMSG  MSGID(&msgid) MSGF(&msgflib/&msgf) MSGDTA(&msgdta) + 
                         MSGTYPE(*ESCAPE)                                   
            MONMSG     CPF0000 /* Just in case */                           
                                                                             
            ENDPGM                                                                 

When it comes time to recover a deleted spooled file, or an entire output queue, you can use the command RSTOBJ(Restore Object) to restore the saved output queue, including the spooled files.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming


Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts


Now Accepting Credit Cards

IBM i Security Workshop Nov 13-16
Concepts & Control Language Oct 15-19
System Administration & Control Nov 5-9
Operations Workshop Oct 22-24
Expanded Operations Workshop
Oct 22-26




Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017