SecureMyi.com Security and Systems Management Newsletter for the IBM i iSeries and AS/400 - September 12, 2013 - Misconceptions on User Class *SECOFR

Tweet
SecureMyi.com Security and Systems Management Newsletter for the IBM i September 12, 2013 - Vol 3, Issue 35

	Feature Article Misconceptions of the SECOFR User Class* By Dan Riehl - SecureMyi.com When we create user accounts on the IBM i, we use the command CRTUSRPRF(Create User Profile). One of the attributes of a user profile is the User Class. The choices are SECOFR, SECADM, SYSOPR, PGMR or USER. The Security Officer(SECOFR) user class does not make the user powerful, just as the user class of System Operator(SYSOPR) does not convey any power to the user to manage the operations of the system. Just What Does the User Class Really Do? The User Class assigned to a user does two major things. 1) It confuses IT auditors, and 2) it determines what menu options are displayed on IBM supplied menus. You can easily see the result of User Class and Menus on the IBM supplied MAIN menu. If a user runs the command GO MAIN, some menu options will be shown, others may not be shown, all based upon the user's assigned User Class. In another example, consider the IBM supplied menu named SECURITY. To access the menu the user runs the command GO SECURITY. If the user has a User Class of USER, only one menu option is shown, "Change your Password". On the other hand, if the user has a User Class of SECOFR, all options on the SECURITY menu are displayed. But, just because a menu option is shown, does not mean the user has the authority to exercise the menu option. For example, option 8 from the SECURITY menu runs the command, GO SECTOOLS. Unless the user has ALLOBJ special authority, or is specifically granted a private authority to the SECTOOLS menu, selecting option 8 from the menu will result in an error message "Not Authorized to object SECTOOLS". The SECTOOLS Menu ships from IBM with an authority of PUBLIC AUT(EXCLUDE). Why the Confusion? The user profile attribute that provides ALLOBJ, and other powerful operational capabilities is NOT the User Class, it is the User Profile attribute named Special Authority(SPCAUT). The main reason for confusion on the pupose of the User Class attribute is that when we create user profiles we typically specify the command as follows: CRTUSRPRF USRPRF(MYUSER) USRCLS(SECOFR) SPCAUT(USRCLS)* Here we create a powerful user by specifying that the user has all of the special authorities(SPCAUT) of the SECOFR User Class(USRCLS). When we specify USRCLS for the special authority attribute, the User Class is used to determine which special authorities as User receives. However, we could have created the user profile with no special authorities at all by setting the special authorities to NONE, as in the following command. CRTUSRPRF USRPRF(MYUSER) USRCLS(SECOFR) SPCAUT(NONE)* *Read More*
In This Issue Featured Article - The User Class Security Shorts - Using RMTCMD.exe Industry News and Calendar Security Resources Quick Links Search Security Site for IBM i and i5/OS SecureMyi Website Security Training from The 400 School SecureMyi Newsletter Home/Archives Our Newsletter Sponsors Platinum Sponsor The 400 School, Inc Gold Sponsor PowerTech Skyview Partners, Inc Software Engineering of America Silver Sponsor Cilasoft Security Solutions	IBM i Security Resources John Earl Memorial Tribute IBM i Security Videos - SecureMyi SecureMyi Newsletter Archives Search Security for IBM i IBM i Security Ref - 6.1 IBM i Security Ref - 7.1 QAUDJRN Entries By AUDLVL QAUDJRN Entry Layouts RedBook - Security Guide IBM i OSF - DataLoss DB PCI Data Security Standard COBIT - ISACA HIPAA Resources HITECH Enforcement CISSP - Certification
Industry News Joan Ross takes the Helm at Townsend Security Townsend Security announced that it has appointed Joan Ross as Chief Executive Officer. Patrick Townsend, founder and previous Chief Executive Officer will assume the role as Chief Technology Officer. More Information Live Security Related Webcasts and Training for IBM i September Events IFS Security - Don't Leave Your Server Vulnerable! Live Webcast - Presented by PowerTech Tuesday, September 17 1:00pm CDT More Information and Register to Attend October Events Live Hands-On - QAUDJRN Auditing and Forensic Analysis Workshop for IBM i with Dan Riehl Training Workshop - October 2-3 Dan Riehl presents this 2-Day Live Online Hands-on Workshop. More Information and Register to Attend Live Hands-On - Expanded Security Workshop for IBM i with Dan Riehl Training Workshop - October 7-10 Dan Riehl presents this 4-Day Live Online Hands-on Workshop. More Information and Register to Attend 2013 IBM Power Systems Technical University at Enterprise2013 Sponsored by IBM - (ed. This is the newest name for the IBM Technical Conference) Orlando, FL, October 21-25 More Information and Register to Attend

Security Shorts Using RMTCMD.exe to Run multiple CL Commands By Dan Riehl I have written often about using the IBM i Access command RMTCMD.exe to send commands from your Windows or Linux system to IBM i. But did you know you could also send multiple commands with one execution of the RMTCMD.exe? The Syntax used to send multiple commands is: rmtcmd /I rmtcmds.txt (Where rmtcmds.txt* is the name of a text file containing the list of commands to be executed.)* Here is an example. Using Notepad, enter the Control Language commands that are to be executed, and save to a text file. Here's an example you can try. CRTLIB LIB(MYTESTLIB) TYPE(TEST) TEXT('My Test Library') CRTPF FILE(MYTESTLIB/MYTESTFILE) RCDLEN(500) TEXT('My Test file') GRTOBJAUT OBJ(MYTESTLIB) OBJTYPE(LIB) USER(PUBLIC) AUT(EXCLUDE) SBMJOB CMD(CALL PGM(MYTESTPGM)) JOB(MYTEST) Run the rmtcmd.exe specifying the name of the file which contains the commands. C:\>rmtcmd /I rmtcmds.txt Here is the result. (Note: You may be prompted to Logon, depending on your IBM i Access settings.) IBM i Access for Windows Version 7 Release 1 Level 0 Submit Remote Command (C) Copyright IBM Corporation and Others 1984, 2010. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Licensed Materials - Property of IBM The remote system name is MYSYSTEM. CRTLIB LIB(MYTESTLIB) TYPE(TEST) TEXT('My Test Library') CPC2102 - Library MYTESTLIB created. CRTPF FILE(MYTESTLIB/MYTESTFILE) RCDLEN(500) TEXT('My Test file') CPC7301 - File MYTESTFILE created in library MYTESTLIB. CPC7305 - Member MYTESTFILE added to file MYTESTFILE in MYTESTLIB. GRTOBJAUT OBJ(MYTESTLIB) OBJTYPE(LIB) USER(PUBLIC) AUT(EXCLUDE) CPI2201 - Authority given to user PUBLIC for object MYTESTLIB in QSYS object type LIB. CPC2201 - Object authority granted. SBMJOB CMD(CALL PGM(MYTESTPGM)) JOB(MYTEST) CPC1221 - Job 115263/MYUSER/MYTEST submitted to job queue QBATCH in library QGPL. RMTCMD.exe Security Implications While the RMTCMD.exe is great in functionality, it also brings with its functionality, a serious security issue that you will want to be aware of. Limited Capabiliy Users (LMTCPB(YES)) can run CL Commands using RMTCMD.exe. The RMTCMD.exe does not honor the LMTCPB attribute of a User Profile. For more information on this topic, see the article Misconceptions of Command Line Access and Limited Capabilities Users* in the July 5, 2012 issue of the SecureMyi Security Newsletter.		Sponsored Links IBM i, iSeries and AS/400 Security Services from SecureMyi Expert IBM i Security Consulting IT Security and Compliance Group. LLC In Depth Security Assessment of IBM i Upgrade to QSECURITY level 40 or 50 Forensic Research and Analysis Audit Assistance and Remediation Security Training for IT and Audit Staff Security Software Selection & Configuration Customized Security/System Programming Live Training from The 400 School, Inc Customized IBM i (AS/400) Training - Presented Live at your offices Live Online Hands-On Workshops ILE RPG IV Programming ILE COBOL Programming Interactive Programming Workshops System Operations Workshops System Administration and Control Security and Auditing Workshops Control Language Programming IBM i Concepts and Facilities Query Workshop


Send your IBM i Security and Systems Management News and Events! Send your Questions, Comments, Tips and Stories Copyright 2013 - SecureMyi.com, all rights reserved SecureMyi.com \| St Louis MO 63017