SecureMyi.com Security and Systems Management Newsletter for the IBM i             May 27, 2015 - Vol 5, Issue 7
Security Training from SecureMyi.com
Security Study from Powertech


Security? See how SKYVIEW PARTNERS can help!


Training from The 400 School

Feature Article

Securing Sensitive CL Commands from Abuse

By Dan Riehl - SecureMyi.com

Several IBM supplied Control Language commands have restrictions on their use. Commands like CRTUSRPRF(Create User Profile) and CHGUSRPRF(Change User Profile) require that the user have, at the minimum, *SECADM special authority. Other commands like PWRDWNSYS(Power Down System) and ENDSBS(End Subsystem) can only be used by users with *JOBCTL special authority.

Most commands, however, are available for use by any user on the system. Commands can be run directly from the command line, executed from within a program or batch job stream, or can be run through network interfaces like RMTCMD(Remote Command), FTP and ODBC/JDBC(using the QCMDEXC program).

Each command has an attribute that specifies whether limited capabilities users can enter the command at the command line. A user is identified as 'limited' if their user profile specifies LMTCPB(*YES). There are only a handful of commands that allow 'limited' users to run the command at a command line. These are commands like DSPJOB(Display Job) and DSPMSG(Display Messages). We consider 'limited capability' users as being restricted from using the command line. In reality, they CAN enter commands at a command line, as long as the particular command allows for it.

For more information, see our Youtube Video on "Misconceptions about the Limited Capabilities attribute on a User Profile".

Since there are so many different methods to run commands, and so many different types of user capabilities and special authorities, it is important to tightly control some of the more powerful and sensitive commands.

On most systems, a majority of the users have *JOBCTL special authority. I have heard countless reasons for this configuration debacle, which I will not rehash here. The point here is that the powerful commands available to these users must be controlled.

The ability to use commands like PWRDWNSYS, ENDSBS and ENDSYS should not be available to every user with *JOBCTL, but should be restricted to a very small group of users.

Please review the Security Shorts Column in this issue for the related article, "When Securing Commands, Don't Miss any Command Users".

I recommend that we control access to powerful and sensitive commands using authorization lists. In this context, the authorization list is a list of users and the commands they can use.

For example, we create an authorization list named SYSADMIN. This list will identify system administrators, and the powerful commands they can use. Here is the command to create the authorization list.

CRTAUTL AUTL(SYSADMIN) AUT(*EXCLUDE)

Read More . . .

In This Issue


Featured Article - Secure CL Commands

Security Shorts - Command Usage?

Industry News and Calendar

Security Resources

Quick Links


Search Security Site for IBM i and i5/OS

SecureMyi Website

Security Training from The 400 School

SecureMyi Newsletter Home/Archives


Our Newsletter Sponsors


Platinum Sponsor

    The 400 School, Inc


Gold Sponsor

    PowerTech

    Skyview Partners, Inc

Silver Sponsor

    Cilasoft Security Solutions

IBM i Security Resources

IBM i Security Videos - SecureMyi

SecureMyi Newsletter Archives

Search Security for IBM i

IBM i Security Ref - 6.1

IBM i Security Ref - 7.1

QAUDJRN Entries By AUDLVL

QAUDJRN Entry Layouts

RedBook - Security Guide IBM i


Open Security Foundation - DataLoss DB

National Vulnerability Database - NIST

PCI Data Security Standard

COBIT - ISACA

HIPAA Resources

HITECH Enforcement

CISSP - Certification


Follow SecureMyi on Twitter
Follow SecureMyi on LinkedIn=
Follow SecureMyi on YouTube



Security Study from Powertech


Training from The 400 School
Security Training from SecureMyi.com
Security news and Events


Security Related News for IBM i

State of IBM i Security Study 2015 Released

PowerTech, a division of HelpSystems has announced the release of the 2015 State of IBM i Security Study.

Now in its 12th year, the study includes data from 110 servers and partitions reviewed using PowerTech’s automated assessment tool. The participating organizations spanned a broad range of industries, including finance, healthcare, communication, transportation and others.

You can Download the Free 2015 Security Study Here



Live Security Related Webcasts and Training for IBM i

June Events

Live Hands-On - Security and Vulnerability Assessment Workshop for IBM i
with Dan Riehl

Training Workshop - June 2-5 - Presented by SecureMyi and The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i Concepts with Control Language Programming Workshop
with Dan Riehl

Training Workshop - June 15-19 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - June 22-26 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - IBM i, iSeries, AS/400 Expanded Security Workshop
with Dan Riehl

Training Workshop - June 29 -July 2 - Presented by SecureMyi and The 400 School, Inc.
Dan Riehl presents this 4-Day Live Online Hands-on Workshop.
More Information and Register to Attend

July Events

Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i
with Dan Riehl

Training Workshop - July 7 - 8 - Presented by The 400 School, Inc.
Dan Riehl presents this 2-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Expanded System Operations Workshop for IBM i, iSeries, AS/400
with Dan Riehl

Training Workshop - July 13-17 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend

Live Hands-On - Query for i WRKQRY Workshop for Technical Staff and End Users
with Dan Riehl

Training Workshop - July 28 - Presented by The 400 School, Inc.
Dan Riehl presents this Full-Day Live Online Hands-on Workshop.
More Information and Register to Attend

August Events

Live Hands-On - IBM i, iSeries System Administration and Control Workshop
with Dan Riehl

Training Workshop - August 10-14 - Presented by The 400 School, Inc.
Dan Riehl presents this 5-Day Live Online Hands-on Workshop.
More Information and Register to Attend




Software from Cilasoft


Security? See how SKYVIEW PARTNERS can help!


Training from The 400 School


Training from The 400 School

Security Shorts

When Securing Commands, Don't Miss any Command Users

By Dan Riehl - SecureMyi.com

When deciding who will be authorized to use a particular command, like ENDSBS(End Subsystem), it is important that you do not leave anyone out that needs to use the command. You do not want to get a call at 3:00am telling you that the batch job just blew up because the job was running under the user profile JSMITH, and you neglected to add JSMITH to the authorization list that secures the ENDSBS command.

I suggest that before you implement new restrictions CL command usage that you get some history of who is using the commands. Once you have a list of users that use the commands, you can then restrict usage to just that select group.

To get a history of who is using a command, you will need to start auditing the command usage and then generate your command usage reports.

To start auditing the use of the ENDSBS command you can use the command:

CHGOBJAUD OBJ(QSYS/ENDSBS) OBJTYPE(*CMD) OBJAUD(*ALL)

To get reports on command usage you can use the command:

CPYAUDJRNE ENTTYP(CD) OUTFILE(MYLIB/QAUDIT)

This command will create the file QAUDITCD that you can view with SQL, Query or download to Excel. You will need to filter the result file to select only those records where the Command used is ENDSBS.

Sponsored Links

IBM i, iSeries and AS/400
Security Services from SecureMyi


IT Security and Compliance Group


In Depth Security Assessment of IBM i
Upgrade to QSECURITY level 40 or 50
Forensic Research and Analysis
Audit Assistance and Remediation
Security Training for IT and Audit Staff
Software Selection & Configuration
Security and Systems Programming




LIVE Training from The 400 School, Inc


Customized IBM i (iSeries, AS/400) Training -
    Presented Live at your offices


LIVE Online Hands-On Workshops

Security and Auditing Workshops
System Operations Workshops
System Administration and Control
ILE RPG IV Programming
ILE COBOL Programming
Control Language Programming
IBM i Concepts and Facilities
Query Workshop

Security Training from The 400 School

Send your IBM i Security and Systems Management News and Events!           Send your Questions, Comments, Tips and Stories

Copyright 2015 - SecureMyi.com, all rights reserved

SecureMyi.com | St Louis MO 63017