SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - April 24, 2013 - Mysteries of Restoring IBM i Spooled Files

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i April 24, 2013 - Vol 3, Issue 27

	Feature Article Mysteries of Restoring Output Queues and Spooled Files By Dan Riehl Since version 5.4 of the IBM i operating system, IBM has included the capability to natively save and restore spooled files. Previously, when an output queue object was saved, only the output queue object itself was saved. The spooled files within the output queue weren't saved and therefore couldn't be restored. Even today, unless you specify that you want to save the spooled files in your saved output queues, the spooled files aren't saved. Since 5.4, an output queue and its associated spooled files can be saved using standard save commands such as Save Library (SAVLIB) and Save Object (SAVOBJ). In the following example, I save an output queue named ADMIN5P to a save file by using the SAVOBJ command. On the command, I specify the parameter SPLFDTA(ALL). The SPLFDTA(ALL) parameter is what causes the spooled files to be saved. Had I not specified SPLFDTA(ALL), only the output queue object would be saved and not the associated spooled files. SAVOBJ OBJ(ADMIN5P) LIB(ADMIN5) DEV(SAVF) + OBJTYPE(OUTQ) SAVF(DANWORK/DANTEST1) SPLFDTA(ALL) I display the contents of the save file by using this command: DSPSAVF FILE(DANWORK/DANTEST1)** I then see the resulting display showing the saved ADMIN5P output queue. Display Saved Objects Library saved . . . . . . . : ADMIN5 Type Options, press Enter. 5=Display Opt Object Type Attribute Owner Size (K) Data 5 ADMIN5P OUTQ DANRIEHL 96 YES Once the Output Queue and Spooled files are saved, it is quite mysterious how the restore process works. It's not as one would expect.* Read about the Mysteries of Restoring Spooled Files
In This Issue Featured Article - Restoring Spooled Files Security Shorts - The CHGPRF Command Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Sponsor Townsend Security Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute - Jan 2013 IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
IBM i Security Calendar of Events Live Security Related Webcasts and Training for IBM i Top 10 Security and Compliance Considerations for Cloud Computing with Carol Woodbury Live Webcast - Presented by Skyview Partners Thursday, April 25 10:00am CDT More Information and Register to Attend Automatic Encryption with FIELDPROC on the IBM i with Patrick Townsend Live Webcast - Sponsored by Townsend Security Tuesday, April 30, 12:00 Noon CDT More Information and Register to Attend 10th Anniversary: PowerTech's "State of IBM i Security Study 2013" Live Webcast - Sponsored by PowerTech Robin Tatam, Director of Security Technologies for PowerTech, will reveal the latest results from a decade of ongoing research into the security configuration of IBM i. Wednesday, May 1, 1:00 PM CDT More Information and Register to Attend Live Hands-On IBM i Expanded Security Workshop for IBM i with Dan Riehl Full Length Training Workshop - May 7 - 10 Dan Riehl presents this 4-Day Live Online Hands-on Expanded Security Workshop. More Information and Register to Attend Live Hands-On IBM i Security Assessment Workshop for IBM i with Dan Riehl Full Length Training Workshop - May 21 - 24 Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop. More Information and Register to Attend

Security Shorts - Watch out for the CL Command CHGPRF! By Dan Riehl Did you know that your end users and IT staff members can change their own user profile? Just like users can run the CHGPWD(Change Password) command to change their own password, they can run the CHGPRF(Change Profile) command to change their own user profile. Almost all user profile attributes can be changed using this command. Certain attributes like Group Profile and Supplemental Group Profile cannot be changed. But that's little consolation when we find that our end users can change their initial program, initial menu, current library, job description, attention program, etc. The CHGPRF command ships from IBM as PUBLIC use, so it is available for general use. As you might suspect, the user must have at least USE authority to the specified initial program, menu, job description, attention program, current library, etc. in order to make those kind of changes. Certain parameters of the CHGPRF command are sensitive to the LMTCPB(Limit capabilities) attribute of the user's profile. For instance, if the user is LMTCPB(PARTIAL), they cannot change their initial program, current library or attention key handling program. They can however change their initial menu and all the other attributes. If the user is LMTCPB(YES), they cannot change their initial program, initial menu, current library or attention key program, but they can change all the rest of their profile attributes like job description, user options, output queue, printer and even the textual description of their user profile. You may be thinking that this is not really such a big deal since the only people on your system that can run this command are IT folks and a limited number of users that have access to the command line. Users that are defined as LMTCPB(YES) cannot enter this command on a command line, and I doubt you would place this option on their menu. But, any user that has IBM i Access(Client Access) installed on their PC can use the RMTCMD command to run the CHGPRF command. It's as simple as going to a DOS prompt and running the command: RMTCMD CHGPRF JOBD(QGPL/HIGHPRI) TEXT('I am so cool')* The RMTCMD.exe on your PC does not pay any attention to the LMTCPB attribute of the user running the command. The user can run any command to which they are authorized. And, since RMTCMD is an integral part of IBM i Access, you cannot just remove it from all your PCs. It's best to write or buy an exit program for the remote command server that would control this type of activity. My recommendation to you is to change the object authority of the CHGPRF command to make it PUBLIC AUT(EXCLUDE). To make that change, you can use either the EDTOBJAUT(Edit Object Authority) command or the GRTOBJAUT(Grant Object Authority) command.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops Intro RPG IV Programming Intro RPG/400 Programming IBM i COBOL Programming Interactive Programming Workshops Introduction to System Operations Expanded System Operations Workshop System Administration and Control Expanded Security Workshop Control Language Programming IBM i Concepts and Facilities Concepts & Control Language Query Workshop

Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017