July 18, 2012 - Vol 2, Issue 13
Live Online Training from The 400 School

PCI Compliance Blueprint From Powertech

Security Compliance Automation Tools - Designed by Carol Woodbury - Security Policy Compliance - Vulnerability Assessments - Audit Journal Reporting - Register today for a FREE Trial! - Brought to you by SkyView Partners

Feature Article

The Top 5 Security Questions for IBM i

By Carol Woodbury   Skyview Partners, Inc.

It seems as though wherever I go, some common questions are asked. So I thought I’d take a few moments and answer them for everyone. Here we go (in reverse order.)

Question #5: What is primary group authority?

Primary group authority was created to accommodate the concept of group authority in UNIX. It was added to OS/400 when IBM added support for the Integrated File System (IFS). All of these functions were added to facilitate porting UNIX applications to run on OS/400. Primary group authority can only be given to a group profile. In addition, only one group profile can be the “primary group” of an object.

Primary group authority is very similar to a private authority granted to a group profile. The biggest difference is that the primary group and its authority are stored in the header of the object (vs with the user profile as private authorities are). And primary group authority is checked before any private authorities the group may have; therefore, there is a slight (and I do mean slight) performance gain when using primary group authority. The gain is so small it’s not worth the time it would take to change your security configuration.

Question #4: What authority is required to run (name your favorite command)?

Appendix D in the IBM i Security Reference lists all of the Control Language commands, along with the authority needed to run each command. The commands are listed by the type of object they act on, for example, user profiles, jobs and so forth. At the end of each command group are notes listing additional requirements, for example, the fact that users running the user profile commands must have *SECADM special authority.

Question #3: Isn’t adopted authority dangerous and shouldn’t it be avoided?

Adopted authority allows you to temporarily grant users the ability to perform a task without having to assign them the authority permanently.


In This Issue

Featured Article - Top 5 Questions

Security Shorts - Restricting System Request

Featured Video - Hidden Security Configuration Options

Industry News and Calendar

Security Resources

Quick Links

Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit RZKH.de

Thank You To Our Sponsors:

Platinum Sponsor
      The 400 School, Inc

Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

      Cilasoft Security Solutions

IBM i Security and Audit Resources

IBM i Security Videos from SecureMyi.com

SecureMyi Newsletter Home and Archives

Search Security Site for IBM i and i5/OS

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

IBM i Security News Bytes

Raz-Lee Security introduces latest security product for IBM i - iSecurity Command

iSecurity Command provides the ability to control CL commands, their parameters, origin, context (i.e. the program which initiated the CL command), the user issuing the CL command, etc., and provides easy-to-define ways to react to these situations.

According to Raz-Lee Vice President Eli Spitz , "iSecurity Command is the only product that has the ability to refer, for analysis or change, to each part of a complex parameter separately, as well as to the parameter as a whole."

More Information and Request a Demo

Linoma Software Adds Japanese Firm to Team of Global Partners

As Linoma Software continues to expand its global sales initiatives, it has added yet another sales partner to its team. Linoma president Bob Luebbe announced the new partnership with SOLPAC, a leading software and consulting firm based in Tokyo, Japan.

SOLPAC will be marketing Linoma Software’s managed file transfer solution, GoAnywhere, to Japan, Thailand, and Vietnam.

More Information on the Partnership

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

How to Track Sensitive Database Changes at the Field Level
Webcast - Sponsored by Cilasoft Security Solutions and Read Technologies
Wednesday July 18 10:00 AM CDT
More Information and Register to Attend

Configuring and Using IBM i Auditing Functions
Webcast - Sponsored by Powertech
Thursday July 19 1:00 PM CDT
More Information and Register to Attend

IBM i: Achieving PCI 2.0 Compliance with Virtual and Cloud Computing
iProDeveloper Webcast - Featuring Mel Beckman - Sponsored by Enforcive
Thursday July 26 11:00 AM CDT
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
Full Length Training Workshop - August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i.
More Information and Register to Attend

PCI Compliance Blueprint From Powertech

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

SecureMyi.com Security Workshop

Featured YouTube Video

IBM i Security - The Hidden Security Configuration Options

Featured Video - The Hidden Security Configuration Options

Cannot Access Youtube from your office? Here is the presentation in wmv format.   Click to Download the wmv file

Skyview Partners - Security Checkup from Skyview Partners

Security Shorts -

Restricting Access to System Request - SYSRQS

By Dan Riehl

The IBM 5250 keyboard layout used by the IBM i defines a special key as the System Request (SYSREQ) key. Technicians use this key to perform various tasks including canceling a previous request, displaying information about the current job, sending messages, displaying the QSYSOPR message queue, etc.

Here is a snapshot of the System Request menu.

                            System Request                                 
                                                     System:   SECUREMYI 
 Select one of the following:                                                   
      1. Display sign on for secondary job                                      
      2. End previous request                                                   
      3. Display current job                                                    
      4. Display messages                                                       
      5. Send a message                                                         
      6. Display system operator messages                                       
      7. Display work station user                                              
     80. Disconnect job                                                         
     90. Sign off                                                               
 Selection __                                                                     
 F3=Exit   F12=Cancel                                                           

What is the Exposure?

While the SYSRQS key does provide some nice capabilities for technicians, in the hands of an end user, or unwitting power user, it can cause some real problems. For example, a user just pressed ENTER to initiate a large series of production database updates, but, then immediately presses SYSRQS, and selects option 2 - to "Cancel the Previous Request". In the middle of this long series of database updates, the request is canceled, causing some of the updates to be applied, but not all. Now, we have a production database that is out of synch.

So, the SYSRQS function, especially Option 2(Cancel Request) can cause major damage when used improperly.

Restricting Access to SYSRQS

I would expect that restricting access to the System Request menu would be a simple matter of restricting access to some IBM program that ran the SYSRQS menu. But, in searching for the answer, I was surprised to learn that IBM's preferred method of restricting access is to restrict access to the Panel Group(Screen Definition) of the menu.

See IBM's discussion of this topic in the InfoCenter.

See the IBM Software Support Technical Document addressing this topic.

The IBM supplied panel group object QGMNSYSR in the QSYS library is the key to restricting access to the System Request function.

To prohibit all users on the system from using the System Request function, assign *EXCLUDE authority to *PUBLIC.


Now when a user that does not have *ALLOBJ authority tries to use the SYSRQS function, an authority failure will occur, which will prohibit the use of the function. The error message generated is:

CPD2317 - No authority to use system request functions.

Cause . . . . . :   You tried to use the system request functions but you do 
   not have the authority to do so.  To use system request functions, you must
   have authority to use the panel group QGMNSYSR.                            

Allowing for Exceptions

Even if you restrict the SYSRQS function for *PUBLIC, you will want to allow technical staff to continue to use SYSRQS. You can assign those users, but preferably group profiles, *USE rights to the panel group, as in:


Important Note:   Remember to apply the change again each time you upgrade the operating system, since the panel group will be replaced by the upgrade, and your changes will be lost.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Software Selection & Configuration
Customized Security/System Programming

Subscribe to the SecureMyi Security Newsletter - Get Dan Riehl's book PowerTips for IBM i Security

Live Training from The 400 School, Inc

Live Online Hands-On Workshops
Special Fall/Winter Class Discounts

Now Accepting Credit Cards

IBM i System Administration Jul 16-20

IBM i Security Workshop Aug 21-24

Concepts & Control Language Sep 17-21

Fall Schedule Coming in Early August

Send your IBM i Security Related News and Events!           Advertise in SecureMyi.com Security Newsletter

Copyright 2012 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017