SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - August 14, 2013 - Dangers of Unsecured Spooled Files

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i August 14, 2013 - Vol 3, Issue 33

	Feature Article Pondering the Dangers of Unsecured Spooled Files By Dan Riehl - SecureMyi.com A "data leak" is defined in Wikipedia as "the intentional or unintentional release of secure information to an untrusted environment." It can also be called a "data spill" or "data breach." We are often deeply concerned about data leaking from our production database to the outside world. We often focus a great deal of effort on securing these precious data jewels we call files. But what about protecting the end result of these jewels—our printed reports? Our production reports consist of our precious data jewels, coordinated, manipulated, and cajoled into what becomes meaningful information in the form of a production report. If we consider our database files to be sensitive, then our printed reports, which present that file data in a readable, organized format, must be protected with as much or, dare I say, more due diligence. If your shop is like most, all, or almost all, output queues are left unsecured. For some strange reason, we assign JOBCTL special authority to our end users. The result of this JOBCTL assignment is that they can view and manipulate the reports generated by others. This is usually the root of the problem of data leakage via printed reports. A user with JOBCTL special authority can, with few exceptions, view and control any printed report on the system. Perhaps to avoid the potential of a data leak through a printed report, we configure the user accounts with the command line restriction LMTCPB(YES). As a further step, we don't present a menu option that allows them to view the spooled files of others. That's a nice solution, but there still can be alternative methods to view and leak the data in our sensitive reports. One such method is through the IBM i Navigator for Windows (a.k.a. Operations Navigator) Basic Operations tab. *Read More*
In This Issue Featured Article - Unsecured Spooled Files Security Shorts - Copying Authorities Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Need Access to an IBM i? Visit RZKH.de Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor The PowerTech Group Skyview Partners, Inc Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute IBM i Security Videos from SecureMyi.com SecureMyi Newsletter Home and Archives Search Security Site for IBM i and i5/OS IBM i Security Reference - IBM i 6.1 IBM i Security Reference - IBM i 7.1 QAUDJRN Audit Types By AUDLVL 6.1 QAUDJRN Entry Type Record Layout 6.1 RedBook - Security Guide for IBM i 6.1 Open Security Foundation - DataLoss DB PCI SSC Data Security Standards COBIT Framework - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Live Security Related Webcasts and Training for IBM i August Events 7 Habits Of Highly Secure Organizations Live Webcast - Presented by PowerTech Wednesday, August 21 1:00pm CDT More Information and Register to Attend Live Hands-On - Expanded Control Language Programming Workshop with Dan Riehl Full Length Training Workshop - August 19-23 Dan Riehl, Co-Author of the textbook Control Language Programming for the IBM i presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend September Events Live Hands-On - IBM i System Administration and Control Workshop with Dan Riehl Full Length Training Workshop - September 4,5,6 and 11,12 Dan Riehl presents this 5-Day Live Online Hands-on Workshop. More Information and Register to Attend COMMON 2013 Fall Conference and Expo Three Day Conference and Expo - September 9-11 Renaissance Grand St. Louis • St. Louis, Missouri More Information and Register to Attend October Events Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i with Dan Riehl Full Length Training Workshop - oct 2-3 Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Full Length Training Workshop - October 7-10 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend

Security Shorts Copying Authorities from one User to Another By Dan Riehl I always encourage administrators to use or create a special "owner" profile to own all of our production objects/ For example, instead of the Distribution application programs and files being owned by a conglomeration of programmers and other IT people, the objects should be owned by a special owning profile, like DSTOWNER. DSTOWNER is not a group profile, and it has no password, so it cannot be used to sign on. I also advise that certain system objects that we create, like User Profiles, be owned by QSECOFR. It might requires an extra step to assign the ownership to QSECOFR, but doing so avoids the problem of these objects being owned by IT staff members, who, as we all know, come and go. Creating a New User When a new user must be created on your system, it is usually rather straightforward. However, if you have fallen into the trap of assigning object authorities at the user profile level, it becomes much more difficult to create the new user. Let's say that you have a new system administrator and this new user needs to have the same authorities as an existing system administrator. You can easily copy the existing user profile to the new one. The Copy User profile option is available as Option 3 from the WRKUSRPRF(Work with User Profiles) display. But, copying a user profile in this way does not copy the private authorities of the original user. For example, if the existing user owns a collection of libraries or files, that existing user has ALL authority to those objects. How do we grant ALL authority to the new user. If the original user has private authorities, or ownership of 50 commands, 10 libraries, 200 files and a few job descriptions, you will need to grant all those same authorities to the new user. IBM has provided the tool to copy these authorities using the command GRTUSRAUT(Grant User Authority). When using the command GRTUSRAUT, make sure you are signed-on as QSECOFR or as an ALLOBJ user, otherwise, certain objects or authorities may be skipped. Copying the Authorities Here is a command that will copy the private authorities(including those granted through ownership) from OLDUSER to NEWUSER. GRTUSRAUT USER(NEWUSER) REFUSER(OLDUSER)* When you run this command, it would be best to submit it to batch, since it may take a long time to run. So use the command SBMJOB CMD(GRTUSRAUT USER(NEWUSER) REFUSER(OLDUSER)) Here is the IBM Documentation on GRTUSRAUT command.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017