May 23, 2012 - Vol 2, Issue 9 Security Workshop

Exit Points and Exit Programs
        Explained and Illustrated

By Dan Riehl

Is There a Security Problem with IBM i?

The IBM i security architecture is VERY robust when we take the time to properly configure our user applications and system settings.

However, security exposures can be introduced by network-data-access tools like FTP and ODBC, but these do not indicate a failing on the part of IBM i security. Rather, the object level authority(i.e. permission) you provide to a user for "green screen" access using menus and textual screens is usually not the same authority you want to allow using network tools like FTP and ODBC.

The same object-level authority that enables a user to view the contents of the Payroll file is the same authority needed to download the file to a PC and post the content on the Internet. IBM recognized the potential areas for abuse and has provided an "Exit Point" facility to let you control these sensitive network access points.

This article describes how you can audit and control access using exit point programs. I'll specifically show you how to audit and control the FTP server logon process for the IBM i.

What exactly is an Exit Point?

An exit point is simply a point in an application at which the application can optionally call an external program to perform customized processing. The IBM i FTP logon server application includes an exit point where you can hook your own program into the FTP logon processing logic to control who can log on and what will occur when a logon attempt is made. To tell the FTP server that you have an exit program, you use the WRKREGINF (Work with Registration Information) or ADDEXITPGM (Add Exit Program) command. We'll see the actual ADDEXITPGM command shortly.

Once you have registered your exit program, whenever a user attempts to log on to the FTP server, the server finds your program that's registered for the exit point, then calls your exit program, passing as parameters information about the user who's logging on. Your exit program then processes that information and takes the appropriate action, according to the security rules you implement in the exit program. Upon return, your exit program passes back a flag to either ACCEPT or REJECT the logon attempt.

Exit Point Names and Interfaces

Each exit point has a name and an Exit Point Interface. The Exit Point Interface is a list of input and output parameters the IBM server program exchanges with your exit program. The QIBM_QTMF_SVR_LOGON exit point occurs immediately after a user enters a user ID and an authentication string (i.e., password) to log on to the FTP server. This exit point typically uses the TCPL0100 interface. Figure 1 lists some of the FTP logon exit point interfaces. I use the TCPL0100 interface and SVR_LOGON exit point for my exit program, which I explain a bit later.

Let's look at an example to help clarify what a simple exit program can actually perform and how it interacts with an IBM supplied server process.

Read More

In This Issue

Feature Article
Exit Points and Exit Programs - Explained and Illustrated

Carsten's Security Code
Control The Intrusion Detection System

Security Shorts
Logon to IBM i - NO UserID or Password Required

Industry News and Events Calendar

Security and Audit Resources

Security Quick Links

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives

Need Access to an IBM i?   Visit

Please Visit Our Sponsors

Platinum Sponsor
      The 400 School, Inc

Gold Sponsor
      The PowerTech Group

      Skyview Partners, Inc

      Cilasoft Security Solutions

      Software Engineering of America

      FastPass Corp

IBM i Security and Audit Resources

IBM i Security Videos from

SecureMyi Newsletter Home and Archives

IBM i Security Reference - IBM i 6.1

IBM i Security Reference - IBM i 7.1

QAUDJRN Audit Types By AUDLVL 6.1

QAUDJRN Entry Type Record Layout 6.1

RedBook - Security Guide for IBM i 6.1

PCI SSC Data Security Standards

COBIT Framework - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification

Follow SecureMyi on Twitter

Follow SecureMyi on YouTube

Cilasoft Security Solutions - Intelligently Engineered Security Solutions

Carsten's Security Code for IBM i

Carsten's New CL Command to Manage the Intrusion Detection System for IBM i

Downloadable Source code included!

By Carsten Flensburg

In The January 4, 2012 issue of the SecureMyi Security Newsletter, Dan Riehl presented an Introduction to the Intrusion Detection System for IBM i.

As I was doing additional research on the IDS(Intrusion Detection System) topic, I came across the "Control Intrusion Detection and Prevention API". This API(Application Programming Interface) is provided by IBM to allow you to perform some vital IDS management routines.

I've wrapped the API up in a new CL command CTLIDS(Control Intrusion Detection System), giving me direct, green-screen access to the IDS functions supported by the API.

Here is the command prompt display.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                     Control IDS(CTLIDS)                             
 Type choices, press Enter.                                                    
 Option . . . . . . . . . . . . .   *STATUS           *ACTIVATE, *DEACTIVATE...    

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

By pressing F1=Help during the prompt display, the Help Text explains the use of the command, the restrictions and additional information on the IDS. Listed here are selected snippets of the online Help Text.

The Control Intrusion Detection and Prevention (CTLIDS) command is used to control the Intrusion Detection System (IDS).

It can be used to activate, deactivate, recycle (deactivate and reactivate) the IDS or retrieve the status (active or inactive) of the IDS, and it is provided as an interface to the code that processes the IDS policy file.

Note: TCP/IP Connectivity Utilities for i5/OS must be installed in order to use this command.


You must have *IOSYSCFG special authority to run the command.

The Option (OPTION) Parameter

Specifies the requested function.

             Activate the Intrusion Detection System (IDS).
             Deactivate the Intrusion Detection System (IDS).
             Recycle the Intrusion Detection System (IDS).
             Retrieve the status of the Intrusion Detection System (IDS).                        
             The current status is returned in an informational message sent                     
             to the job running the CTLIDS command.

In addition to controlling IDS, the CTLIDS command also verifies that TCP/IP is active and operational.

The Source code that comprises the CTLIDS command is listed here.

SEC101      RPGLE       Control Intrusion Detection Services - CPP      
SEC101H     PNLGRP      Control Intrusion Detection Services - Help     
SEC101M     CLP         Control Intrusion Detection Services - Build cmd
SEC101X     CMD         Control Intrusion Detection Services            
Download a zip file containing all of the source code.

Additional Resources:

Control Intrusion Detection and Prevention (QTOQIDSC, QtoqIDSControl) API for IBM I 6.1

IBM Info Center - Complete coverage of IDS for IBM I 7.1

Introduction to the Intrusion Detection System for IBM i From the SecureMyi Security Newsletter Jan 4, 2012

Skyview Partners - Security Checkup from Skyview Partners

IBM i Security News Bytes

Townsend Security Unveils Alliance LogAgent Suite
Townsend's new Suite includes the Alliance LogAgent for IBM i and now has added capability for database column level update reporting capability. The new Suite allows for advanced integration of security and system level events with database update activity for output to syslog, CEF and other SIEM facilities.
More Information, and Download Free 30 Day Trial

Raz-Lee Security Announces Change Tracker 1.0
Raz-Lee Security announced the availability of Change Tracker 1.0 which enables IBM i (AS/400) companies to trace software modifications at both the source and object levels.
More Information and Download Free Trial

New Book - Now Shipping - IBM i Security Administration and Compliance
By Carol Woodbury
The Book is Now Shipping - You can Order your copy at the MCPress Online Bookstore
More Information and order from MCPress Online.

IBM i Security Calendar of Events

Live Security Related Webcasts and Training for IBM i

Webinar - The 2012 State of IBM i Security Study
Sponsored by PowerTech
Wednesday May 30 1:00 PM CDT
PowerTech releases the findings of its yearly IBM i Security Study in this live presentation. It is Always "Eye Opening" and thought provoking for us IBM i Security folks.
More Information and Register to Attend

Live 4-Day Hands-On Expanded Security Workshop for IBM i
August 21-24 9:00am - 4:00pm Central Time
Dan Riehl presents his 4-Day Live Online Hands-on Security Workshop for the IBM i. More Information and Register to Attend

Security Related Seminars and Conferences for IBM i

June 9-12 - - COMMON Europe Congress of 2012
Common Europe is Celebrating their 50Th Anniversary Conference, held in Vienna, Austria

Security Shorts

Logon to the IBM i

   No UserID or Password Required

By Dan Riehl

Did you know that it may be possible to logon to your IBM i using a non-existent UserID and no password?

One such method is by using a variant of "Anonymous FTP". Anonymous FTP is typically implemented in such a way that the FTP user logon prompt is answered with a userID of ANONYMOUS, and the password prompt is replied with an email address like The user is then logged-on and is typically restricted to sending or receiving files from a PUBLIC directory. Some companies use this ANONYMOUS FTP technique to allow public downloads of product manuals, software fixes, public documents, etc.

You can implement ANONYMOUS FTP on the IBM i by writing or buying specialized FTP server exit point programs that interface with the IBM i FTP server.

In order to implement this ANONYMOUS FTP logon, the exit program attached to the FTP logon process must instruct the FTP server to bypass UserID and Password checking. ANONYMOUS and are typically not a valid IBM i UserID and Password combination.

With this in mind, it is possible for an FTP LOGON exit program to completely circumvent the security of your system. If a nefarious technician can add an exit program to your FTP server Logon process, that program could potentially allow a non-existent UserID to logon through FTP as a system administrator with *ALLOBJ authority without providing a valid UserID or Password.

In the above Feature Article "Exit Points and Exit Programs", I discussed the FTP server Logon exit point program. In that article you can glean the information needed to allow a user to bypass user and password checking, and to redirect the server to logon a user as any valid user profile including powerful *ALLOBJ system administrator users.

This information is also available in any article or document that discusses the implementation of ANONYMOUS FTP on the IBM i. The purpose of the Feature Article was to show how to audit all FTP logon attempts and to sound the alarms when a suspicious Logon attempt occurred.

Protect your System!

Since the FTP logon exit program can bypass user and password checking, you must be vigilant in protecting the exit point as well as the other network logon exit points from rogue programs.

To check to see if there may be an FTP Logon exit program in place on your system, use the command WRKREGINF(Work with Registration Information) and find the entry for the Exit Point named QIBM_QTMF_SVR_LOGON. This is the exit point for the FTP server Logon process. Select option 8 to see if a program is registered for this point. If a program is listed, you need to make sure you know exactly what the program is doing. If you do not know what the program is, or what it is doing, you really need to find out, or remove it until you can verify what it is.

Note: If you are running a commercial network exit point product, there will be a program listed here. If you remove the program from the exit point, you may be removing some protections and auditing capabilities that are provided by the security software vendor's exit program.

If you want to monitor your system for any changes to the system exit point program registry, you can turn on auditing for any changes to the exit points. This will allow you to monitor for the addition or change of any exit point programs.

For information on how to audit the exit point program registry see my article 'Who Removed My Registered Exit Program' in the Security Shorts section of the January 4, 2012 issue of the SecureMyi Security Newsletter.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi

Expert Level Security Consulting
IT Security and Compliance Group, LLC

In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Security Tool Selection & Configuration
Customized Security Programming

SEA On Demand Learning

Live Training from The 400 School

IBM i System Administration Jun 25-29

IBM i System Operations Jul 16-19

IBM i Security Workshop Aug 21-24

Send your IBM i Security Related News and Events!           Sponsor the Security Newsletter

© Copyright 2012 -, all rights reserved | St Louis MO 63017