February 29, 2012 - Vol 2, Issue 5
Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!
Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

SEA Expert Webinar - Assessing Security of IBM i

Carsten's Security Code for IBM i

Controlling IBM Query/400 Output Files

Downloadable Source code included!

By Carsten Flensburg

Some time ago I needed a way to identify all of the files on the system that had been created as an output file from the IBM Query/400 product, a.k.a. IBM Query for i. The reason for my need to identify these query output files, was a requirement to allow query output files to only reside in specific libraries.

My research did not provide me with a conclusive answer but after consulting with Chuck R. Pence of IBM who knows Query/400 inside and out, I arrived at a criteria, that so far has been accurate in determining whether a file was created by the Query/400 product.

  • The specified file is a physical file.
  • The specified file is a data file, as opposed to a source file.
  • The specified file is externally described.
  • The total number of record formats defined for the file is 1.
  • The file is not an SQL table.
  • The file was not created by *IBM.
  • The file object specifies a blank source file member as its object creation source.

In this article I provide 2 utilities that can assist you in finding and controlling those files created with Query/400.

Utility 1 Locating Files created by Query/400

I have provided the source code for the CL program SEC100T. This program allows you to find all the files in a specified library that were created by Query/400. All files determined to have been created by Query/400 will cause a message to be sent to the message queue of the user running the program. Granted, it's not an elegant output option, but it does the job.

Utility 2 The VFYQRYOUTF(Verify Query Output File) command

The VFYQRYOUTF command is used to check a specific file to determine if it was created by Query/400. If the file was created by Query/400, the command return variable is set to 'Y'. This command is used in Utility 1, to determine which files were created by Query/400. You can examine the program SEC100T to see how the command is used within a CL program.

The VFYQRYOUTF command has the following appearance, when prompted:

                      Verify Query Output File (VFYQRYOUTF)                    
 Type choices, press Enter.                                                    
 File . . . . . . . . . . . . . .                 Name                         
   Library  . . . . . . . . . . .     *LIBL       Name, *LIBL, *CURLIB         
 CL var for QRYFIND       (1) . .                 Character value              

Read More and access the Source Code Download

In This Issue

Carsten's Security Code for IBM i

Featured Video - Limited Capabilities?

Security Shorts - What is User Class?

Industry News and Calendar

Security Resources

Security Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home and Archives

Need Access to an IBM i?   Visit RZKH

Please Visit Our Sponsors

Platinum Sponsor
      Skyview Partners, Inc

Gold Sponsor
      Software Engineering of America

      Cilasoft Security Solutions

      The 400 School, Inc

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layouts 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow securemyi on Twitter

Follow securemyi on YouTube

SEA Expert Webinar - Assessing Security of IBM i

Featured YouTube Educational Video

IBM i Security

Misconceptions on User Limited Capabilities LMTCPB(*YES)

Featured Video - Misconceptions on User Limited Capabilities LMTCPB(*YES)

IBM i Security Industry News

Raz-Lee Security offers FREE Anti-Virus software for IBM i.
Seek and destroy malware that resides on your IBM i hosted shared network drives.
Protect your IFS from virus, worms and other malicious threats for FREE.
Read more about the FREE offer and Download the software.

Arpeggio Software offers FREE Zip-Unzip tool.
ARP-ZIP is an IBM i Zip-Unzip utility that supports ZIP, GZIP, TAR, JAR and BZIP2 and also supports several encryption methods including ZIP(password) and AES(both 128 and 256).
Read more about the FREE offer, and Download the software.

Safestone launches Compliance Center for IBM Power Systems
Safestone Technologies has now added Linux support for its Compliance Center software. This completes Safestone's multi-platform compliance and security solution across all IBM Power platforms: IBM i, AIX and now Linux.
Read the SafeStone announcement.

IBM PTF Extends Capability of CL Command Exit Programs
IBM has released a great new PTF in which the QIBM_QCA_RTV_COMMAND exit point has been enhanced to allow a user exit program to run AFTER a command has completed execution. Prior to the PTF, the exit point only allowed an exit program to run BEFORE the command execution.

The PTF is available for operating systems versions V5R4, 6.1 and 7.1.
View the V5R4 SI45987 PTF Cover Letter
View the IBM i 6.1 SI45986 PTF Cover Letter
View the IBM i 7.1 SI45985 PTF Cover Letter

IBM i Security Calendar of Events

Live Security Related Webcasts for IBM i

Assessing your Security on the Power i
Expert Webinar Series - Sponsored by Software Engineering of America, Inc
Thursday March 1st 1:00 PM Eastern Time
More Information and Register to Attend

Security Considerations for your Save / Restore Operations on IBM i
Coffee With Carol Series - Featuring Carol Woodbury
Sponsored by Skyview Partners
Thursday March 8th 8:00 AM Pacific Time
More Information and Register to Attend

An Auditor's View: Assessing IBM i Security Vulnerabilities
Featuring Powertech's Compliance Assessment Software - Sponsored by Powertech
Wednesday March 14 1:00 PM Central Time
More Information and Register to Attend

Security Related Training, Seminars, and Conferences for IBM i

March 21-22 - The 27th Annual Spring Technical Conference
Wisconsin Midrange Computer Professional Association
The conference will be held at Grand Geneva in Lake Geneva, WI.
More Information and Register to Attend

April 2-4 - The Power of i
The 22nd Annual Northeast IBM i User Groups Conference

The largest technical conference in New England for IBM i (AS/400, iSeries, Power Systems).
Over 75 sessions in five categories, including Security. Location: Framingham, MA
More Information and Register to Attend

April 10-13 - Live 4-Day Expanded Security Workshop for IBM i
Live Online Security Workshop from The 400 School and SecureMyi.com
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i
April 10-13. Very limited seating. Register early to reserve your seat in the class.

May 6-9 - COMMON User Group - Annual Conference and Expo - Anaheim, CA

Is Your JD EDWARDS Database Secure? See how SKYVIEW PARTNERS can help!

Cilasoft Security Solutions - Intelligently Engineered Security Solutions

SEA - Expert Webinar - Assessing your Security on IBM i

Security Shorts

*SECOFR User Class Does Not Make A User Powerful

By Dan Riehl

When we create user accounts on the IBM i, we use the command CRTUSRPRF(Create User Profile). One of the attributes of a user profile is the User Class. The choices are *SECOFR, *SECADM, *SYSOPR, *PGMR or *USER. The Security Officer(*SECOFR) user class does not make the user powerful, just as the user class of System Operator(*SYSOPR) does not convey any power to the user to manage the operations of the system.

The user class assigned to a user does one major thing. It determines what menu options are displayed on IBM supplied menus. You can easily see the result of user class and menus on the MAIN menu. If a user runs the command GO MAIN, some menu options will be shown, others may not be shown, all based upon the user's assigned user class.

In another example, consider the IBM supplied menu named SECURITY. To access the menu the user runs the command GO SECURITY. If the user has a user class of *USER, only one menu option is shown, "Change your Password". On the other hand, if the user has a user class of *SECOFR, all options on the SECURITY menu are displayed. But, just because a menu option is shown, does not mean the user has the authority to exercise the menu option. Option 8 from the SECURITY menu runs the command, GO SECTOOLS. Unless the user has *ALLOBJ special authority, or is specifically granted a private authority to the SECTOOLS menu, selecting option 8 from the menu will result in an error message "Not Authorized to object SECTOOLS".

The user profile attribute that provides *ALLOBJ, and other special abilities is NOT the User Class, it is the attribute Special Authority(SPCAUT).

When we create user profiles we typically specify the command as follows:


Here we create a powerful user by specifying that the user has all of the special authorities(SPCAUT) of the *SECOFR User Class(USRCLS). We could have just as easily specified the command as:


In this example, the user would be able to see all of the menu options on the SECURITY menu, but would not be able to run most of them. This is because the user was not granted any special authorities.

I know that this is a somewhat goofy example. We would never create a user profile as a *SECOFR class with no special authorities, but I wanted to illustrate the point, that the User Class alone, does not provide any capabilities to the user, except the ability to see menu options on IBM supplied Menus.

When we consider the command again,


The default value for the SPCAUT parameter is *USRCLS. So, unless we override the SPCAUT value *USRCLS, the user will have special authorities assigned according to the user's user class.

Assuming you are running QSECURITY level 30 or higher, here are the default special authorities assigned by user class.

  • *SECOFR All special authorities
  • *SECADM - *SECADM special authority
  • *SYSOPR - *SAVSYS and *JOBCTL special authority
  • *PGMR No special authorities
  • *USER No special authorities

(Note: The User Class can also be specified in the CRITMSGUSR parameter of the CHGSRVA(Change Service Attributes) command, to cause users of a particular User Class to receive critical system break messages.)

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

SEA Expert Webinar - Assessing Security of IBM i

Live Training from The 400 School

Live Online Hands-On Workshops

Industry Expert Instructors

Special March-April Discounts

System Administration & Control - Mar 12-16
Expanded Security Workshop - Apr 10-13
Control Language Programming - Apr 16-20
Intro to RPG IV Programming - Apr 30-May 4

Send your IBM i Security Related News and Events!           Sponsor the SecureMyi.com Security Newsletter

© Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017