IBM i Security and Systems Management News Bytes

PowerTech, a Help/Systems company, has announced a new version of their Authority Broker software that adds a Screen-Cam capability to audit user activity when using System Service Tools(SST), QSH, and other "Invisible" green screen based activity.

While the IBM i security infrastructure includes auditing capabilities for green screen commands, Authority Broker 4.0 extends IBM i auditing into non-command-based environments, including STRSQL, DFU, QSHELL, and System Service Tools (SST).

See more about the new version of Authority Broker.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Top 10 New Features of IBM i Security - Carol Woodbury
Live Webcast - Presented by Skyview Partners
Wednesday, March 13 10:00am CDT
More Information and Register to Attend

A Primer on IBM i User Profiles and How to Deploy Them Properly
Live Webcast - Sponsored by PowerTech
Wednesday, March 27 1:00 PM CDT
More Information and Register to Attend

Audit and Control of Powerful Users on IBM i - Dan Riehl and Robin Tatam
Live Webcast - Presented by iPro Developer Web Seminars
Sponsored by PowerTech
Speakers: Dan Riehl of SecureMyi.com and Robin Tatam of Powertech
Thursday, April 4 11:00 AM CDT
More Information and Register to Attend

April 7-10 - COMMON - A User Group
2013 Annual Conference and Exposition - Austin, TX
More Information and Register to Attend

Live Hands-On IBM i Security Assessment Workshop
Full Length Training Workshop - April 16 - April 19
Dan Riehl presents this 3.5-Day Live Online Hands-on Security Assessment Workshop for the IBM i.
More Information and Register to Attend

Security Shorts -

IBM i Registered Exit Programs – Vulnerabilities?

By Dan Riehl

Have you ever used the WRKREGINF command? It is the IBM i command to Work with Registration Information. So, you ask, "What is Registration Information anyway?" Simply put, it is the registered exit points and exit programs that allow IBM, third party vendors and you to do some custom processing when an event occurs on your system.

For example, IBM provides a registered exit point for the process of creating a user profile. It allows you to do some custom processing when a user profile is created. You accomplish your custom processing by writing a program, and registering the program using the WRKREGINF command or the ADDEXITPGM(Add Exit Program) command.

There are many categories of exit points. Some are for Backup and Recovery, User Profile maintenance, Network Access(Like FTP and ODBC), and many others. Thankfully, the ability to add an exit program to the registry is restricted to a user with Security Officer access. I say thankfully, because it is possible through adding exit programs to override or complement the normal functioning of the system. That’s what the exit points were designed for.

Now, please let me take you a step further

Several OS releases ago, IBM provided us with the capability to add exit programs to Control Language commands. These are referred to as Command Exit programs. So, if you wanted to add your own custom logic to a CL command, you could do that through registering your own custom written program to the IBM supplied exit points named QIBM_QCA_CHG_COMMAND and QIBM_QCA_RTV_COMMAND.

For information on using these CL Command exit points, see the two part series at Securemyi.com.

Please, just one more step with me

When installing third party vendor supplied packages you are often required to log-on to the system as QSECOFR, or similar powerful user profile. This, in itself, is not a bad thing. But, do you know what the vendor's install process is doing to your system?

I was recently at a customer site performing a security assessment and was running a standard audit report from my toolkit and discovered a little surprise deposited by a third party vendor’s install process. The vendor had added an exit program for the IBM supplied Control Language command APYPTF(Apply Program Temporary Fix). I was puzzled. Why would a well-respected software vendor want to hook their own logic into the PTF process, especially when the software product itself had absolutely NO relationship to system fixes or PTFs?

I called the vendor and questioned them about what this exit program was doing there. The vendor did not provide any kind of reasonable answer, and advised me that it was ok to remove the exit program if I wanted to, it would not affect their application. So why was it there in the first place? Hmmmm - very fishy.

So, What can I do?

You can review all the exit programs on your system by using the WRKREGINF command, and paging through all the screens, or you can print a report using the same command. You will find that the printed report is a bit complex, but look for exit programs, especially those in non-IBM supplied libraries. Make sure you know what the Non-IBM exit programs are, and why they are there.

I want to suggest something that may increase your comfort level when installing new software. Start the IBM i auditing function for the user doing the install, to include auditing command execution and system changes. When the install is complete, run some QAUDJRN auditing reports to see exactly what happened during the install process.

Here’s a command to start auditing a user’s actions before you start the install process.

CHGUSRAUD  USRPRF(MYUSER) +
           AUDLVL(*CMD *CREATE *SYSMGT *SERVICE *SAVRST *SECURITY *OBJMGT)

(Note: If you are auditing some of these events at the system level(i.e. in the QAUDLVL system value, you do not need to include them at the User level. But you will want to include at least *CMD, since that cannot be specified at the system level. It will provide an audit trail of every CL command executed by that user.)

And for detailed information on auditing changes to the Exit Point Registry, see the February 27, 2013 issue of the SecureMyi Security and Systems Management Newsletter in the article Auditing Exit Point Changes.