SecureMyi.com Security and Systems Management Newsletter for the IBM i             August 13, 2014 - Vol 4, Issue 13
Security Training from SecureMyi.com

Security software from Powertech


Skyview Partners


Security Training from The 400 School

Feature Article

Restricting Access to the System Request Function - Why?

By Dan Riehl - SecureMyi.com

The IBM 5250 keyboard layout used by IBM i defines a special keyboard key as the System Request (SYSREQ) key. Technicians use this key to perform various tasks including canceling a previous request, displaying information about the current job, sending messages, displaying the QSYSOPR message queue, etc.

While the SYSRQS key does provide some great capabilities for programmers and operations technicians, in the hands of a dishonest or unwitting user, the use of the key can be the cause of some real problems.

In this article I'll first discuss the vulnerabilities and problems inherent in the SYSRQS key, followed by instructions on how to restrict access to the key to prevent its use. I highly encourage you to consider locking down the SYSRQS function to only those users who have a demonstrated need to use the function.

Here is a snapshot of the System Request menu.


                            System Request                                 
                                                     System:   MYSYSTEM 
 Select one of the following:                                                   
                                                                                
      1. Display sign on for secondary job                                      
      2. End previous request                                                   
      3. Display current job                                                    
      4. Display messages                                                       
      5. Send a message                                                         
      6. Display system operator messages                                       
      7. Display work station user                                              
                                                                                
     80. Disconnect job                                                         
                                                                                
     90. Sign off                                                               
                                                                         
 Selection __                                                                     
                                                                                
                                                                                
 F3=Exit   F12=Cancel                                                           


What are Some of the Main Exposures?

The SYSRQS key can be used to acquire a full list of your application libraries and database files, along with the description of each database file, e.g. PAY001P - Payroll Master File.

And, in a little known hacking exploit, the SYSRQS key can be easily be used to enumerate all of the users enrolled on the system.

Read More . .

In This Issue


Featured Article - Restrict SYSRQS Key

Security Shorts - Your last SAVSYS?

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter

Follow SecureMyi on YouTube


Software from Cilasoft


Security software from Powertech
Security news and Events


Industry News for IBM i Security

Kisco Announces New Release of Password Reset for IBM i
Kisco Information Systems has announced Release 2 of iResetMe which is an end-user password reset utility that addresses the issue of re-activating disabled and expired profiles.
See the Press Release



Live Security Related Webcasts and Training for IBM i

August Events

Live Hands-On - IBM i System Administration and Control Workshop
with Dan Riehl

Training Workshop - Aug 18-22 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

IBM i Encryption in a Snap!
Live Webcast - By IBM Systems Magazine - Sponsored by Enforcive
Thursday, August 21 1:00 pm CDT
More Information and Register to Attend


September Events

Live Hands-On - Expanded Security Workshop for IBM i, iSeries AS/400
with Dan Riehl

Training Workshop - Sep 8-11 - Presented by The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend


Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop
with Dan Riehl

Training Workshop - Sep 25-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend





Skyview Partners




Security Training from The 400 School

Security Shorts

When was your last SAVSYS, SAVCFG, SAVSECDTA ?

By Dan Riehl - SecureMyi.com

Backup and Recovery is an area that is critical to the security and integrity of our systems. If someone accidentally wipes out a file, or in the event of a large scale disaster, it's critical we have all of the pieces needed to recover the file, or the entire system.

We typically have a pretty good handle on when we last backed up our User Libraries, our Document Library objects, and the root '/' file system. But what about the last save of the operating system? And what about our user profiles and security data and our system configuration objects? When was that data last backed up? And what tape or other media contains the last backup?

When we save a library using the SAVLIB command, objects are marked with the save date and save device information, as long as we specify UPDHST(*YES). But when we save the operating system, the objects that are saved are not marked with the save information. The same is true when we save user profiles and configuration data. The saved objects are not updated with the last save date.

IBM has supplied some special purpose data areas in the QSYS library that are updated with the save date and save device information when we perform certain save operations.

When we save our security data (including user profiles) using the command Save Security Data (SAVSECDTA), the special data area QSAVUSRPRF in QSYS is updated to reflect the save date and time and save device information.

Below is a list of various SAVE commands and the associated QSYS data area. Upon execution of the command, the data area is updated.

Save Command          Data Area Updated 
SAVCFG		      QSAVCFG	
SAVLIB *ALLUSR	      QSAVALLUSR
SAVLIB *IBM	      QSAVIBM	
SAVLIB *NONSYS	      QSAVLIBALL
SAVSECDTA	      QSAVUSRPRF
SAVSTG		      QSAVSTG	
SAVSYS		      QSAVSYS, QSAVUSRPRF, QSAVCFG
SAVSYSINF 	      QSYSINF

Viewing the Last Save Date and Device

To view the last save information, you display the object description (DSPOBJD), you don't display the content of the data area. You can start with the command Work with Objects (WRKOBJ), as shown here:

WRKOBJ OBJ(QSYS/QSAV*) OBJTYPE(*DTAARA)

This command allows you to work with all the data areas in the QSYS library that start with the characters QSAV. This results in the following display:

      
                                Work with Objects                                
                                                                                
 Type options, press Enter.                                                     
   2=Edit authority        3=Copy   4=Delete   5=Display authority   7=Rename   
   8=Display description   13=Change description                                
                                                                                
 Opt  Object      Type      Library     Attribute   Text                        
  _   QSAVALLUSR  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVCFG     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVIBM     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVLIBALL  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVSTG     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  _   QSAVSYS     *DTAARA   QSYS                    S/R DIRECTORY INFO FOR SAVE 
  8   QSAVUSRPRF  *DTAARA   QSYS                    S/R DIRECTORY INFO FOR REST 

Place option 8(DSPOBJD) next to one of the data areas. In the example, we chose QSAVUSRPRF to see when we last saved our security data (including user profiles). Scroll through the resulting list to see the last Save Date, and Save Volume.

If you simply want to examine one of the special SAVE data areas, you can use the command DSPOBJD. Here's an example that can be used to display the information on the last time we did a SAVSECDTA.

DSPOBJD OBJ(QSAVUSRPRF) OBJTYPE(*DTAARA)

While We're Here: Where IS Your SAVSYS?

While we're here discussing saving the system and its different pieces, check to make sure you're routinely saving your user profiles and system configuration data. Also check to make sure you have a good SAVSYS backup media handy. You probably did a SAVSYS operation the last time you made a major change to the operating system, like an OS upgrade, or after applying a cumulative PTF package.

If you don't have these backups available (SAVSYS, SAVSECDTA, SAVCFG), plan to do a the needed backups as soon as you can. You don't want to be stuck in a recovery scenario needing to go back to the original IBM distribution media. That would be a disaster on top of a disaster.


Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming




Live Training from The 400 School, Inc


Customized IBM i (AS/400) Training -
    Presented Live at your offices


Live Online Hands-On Workshops

ILE RPG IV Programming Workshop
RPG/400 Programming Workshop
IBM i COBOL Programming
Interactive Programming Workshops
System Operations Workshops
System Administration and Control
Security and Audit Workshops
Control Language Programming
IBM i Concepts and Facilities
Query Workshop




Security Training from The 400 School




Security Training from The 400 School
Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2014 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017