Post on 22-Jan-2018
© HelpSystems. All Rights Reserved.12/28/2015 1
Cutting Through IBM i
Security Confusion
Carol WoodburyVP of Global Security
Services
© HelpSystems. All Rights Reserved.12/28/2015 2
Meet Your Presenter
HOST & PRESENTER: Carol Woodbury
VP of Global Security Services
© HelpSystems. All Rights Reserved.12/28/2015 3
Topic: Cutting Through IBM iSecurity ConfusionABSTRACT: Security expert Carol Woodbury gets tons of questions about IBM i security, including straight-forward questions about security concepts.But some questions address the more obscure features and functions of IBM i security:
• What’s the difference between profile swap and program adopt?• In what order does the system check authority?• How can you use attributes of the output queue to avoid granting
users *SPLCTL authority?
In this session, Carol will answer these and other questions about the most confusing aspects of IBM i security. Join us for information that will useful for both beginners and veterans.
© HelpSystems. All Rights Reserved.
.
12/28/2015 4
Program Adopt
© HelpSystems. All Rights Reserved.12/28/2015 5
Adopted authority
• Used to temporarily give authority
• When a program with USRPRF(*OWNER) runs, the
authority in effect is the user plus the owner of the program
• Both special authorities and private authorities are adopted
(the program owner’s groups are not included)
• Additional authority is in effect for as long as the program is
in the call stack
© HelpSystems. All Rights Reserved.12/28/2015 6
How can I tell whether a program adopts?
© HelpSystems. All Rights Reserved.12/28/2015 7
Adopted authority example #1
PGM_AOwner: APP_OWNERUser Profile: *USER
PGM_BOwner: APP_OWNERUser Profile: *OWNER
PGM_COwner: QSECOFRUser Profile: *OWNER
CJW
CJW then APP_OWNER
CJW then APP_OWNER then QSECOFR
Program Call Stack Authorities Checked
© HelpSystems. All Rights Reserved.12/28/2015 8
Adopted authority example #2
PGM_AOwner: APP_OWNERUser Profile: *OWNER
PGM_BOwner: QSECOFRUser Profile: *OWNER
PGM_DOwner: APP_OWNERUse Adopted Authority: *NOUser Profile: *USER
CJW then APP_OWNER
CJW then APP_OWNER then QSECOFR
Only CJW
Program Call Stack Authorities Checked
© HelpSystems. All Rights Reserved.12/28/2015 9
Adopted authority example #3
PGM_AOwner: APP_OWNERUser Profile: *OWNER
PGM_BOwner: QSECOFRUser Profile: *OWNER
PGM_cmdlineOwner: APP_OWNERUse Adopted Authority: *NOUser Profile: *USER
CJW then APP_OWNER
CJW then APP_OWNER then QSECOFR
Only CJW
Program Call Stack Authorities Checked
© HelpSystems. All Rights Reserved.12/28/2015 10
Adopted authority limitations
• Stack-based – when program is active, adopted authority is
available.
• Adopted authority is dropped when submitting a job or
running a remote command or using FTP, etc
• Adopted authority is ignored by the IFS (can’t use adopted
authority to gain access to a directory or file in a directory)
© HelpSystems. All Rights Reserved.12/28/2015 11
Power of adopted authority
• Ensure a menu-based application continues to have
sufficient authority when setting the files to *PUBLIC
*EXCLUDE
– Do you not have to adopt an *ALLOBJ profile
• Provide authority for single-purpose utilities
– Reset user profile passwords and status
– Enable devices
• Clearly never want the adopted authority of a powerful
profile (a profile with *ALLOBJ) to flow out to a command
line!
© HelpSystems. All Rights Reserved.12/28/2015 12
Authority Search Order
*ALLOBJPrivate
Authorization List
*ALLOBJPrimary Group
PrivateAuthorization List
Object orAuthorization List
Adopted
Stops when ANY authority is found
Repeats for each group until sufficient authority is accumulated or no more groups
Checked when no authority is found for User or Group(s)
Checked when authority is not sufficient – runs the User portion of the algorithm for the program owner
USER
GROUP(S)
*PUBLIC
© HelpSystems. All Rights Reserved.
.
12/28/2015 13
Profile Swap
© HelpSystems. All Rights Reserved.12/28/2015 14
Profile swap
• Profile under which the process is running is changed.
Profile swap
Groups: MGR1, ACCTGSpcaut: *NONELimit cap: *YESAuditing: *JOBBAS
Groups: SALES, MKTGSpcaut: *JOBCTLLimit cap: *PARTIALAuditing: *CMD
075220/CJW/QPADEV000B 075220/CJW/QPADEV000B
© HelpSystems. All Rights Reserved.12/28/2015 15
Often used for server or prestart jobs
• Job is started as an IBM-supplied profile, when request
comes in, swaps to the requestor
© HelpSystems. All Rights Reserved.12/28/2015 16
Used to elevate privileges
• One of the options provided by vendors to elevate
privileges
© HelpSystems. All Rights Reserved.12/28/2015 17
Profile swap APIs
• Requires you to know the password or have *USE to the
profile to obtain a handle.
– A profile handle is only valid within the job that requested it
• Variations:
– Profile token – can pass between programs
– SETGID – only swaps the first group
– SETUID – only swaps the user – group(s) remain
© HelpSystems. All Rights Reserved.12/28/2015 18
Where to look in audit journal entries
• Two user profile fields in the header of each audit journal
entry
• xxUSER is the Job user
• xxUSPF is the Current user
© HelpSystems. All Rights Reserved.12/28/2015 19
Comparing Adopted authority and
Profile Swap
Adopted authority Profile swap
Attribute of a program Invoked via APIs
Available for as long as the program that’s adopting is in the call stack
Available unless/until the profile is swapped back to the original
Current user stays the same Current user is changed
Can always examine the Current user (xxUSPF) field in the audit entry
May need to look in the Current user (xxUSPF) field or the Job user (xxUSER) field of the audit entry depending on how the swap occurred
Program owner’s group(s) authority is not available
Profile’s groups are also swapped in
Limited capability is not adopted Limited capability is swapped in
Ignored by the IFS Can be used to access objects in the IFS
Spooled files owned by current user Spooled files owned by swapped to user
© HelpSystems. All Rights Reserved.
.
12/28/2015 20
Controlling Access to Printed Output
© HelpSystems. All Rights Reserved.12/28/2015 21
Special
Authority
Definition
*AUDIT Auditing configuration
*IOSYSCFG Communications configuration and mgmt
*JOBCTL Mgmt of any job on the system
*SAVSYS Ability to save and restore any object on the system – or the entire
system regardless of authority to the object
*SECADM Create/Change/Delete user profiles
*SERVICE Ability to use Service Tools
*SPLCTL Access to every spooled file on the system regardless of
authority to the outq
*ALLOBJ Access to EVERY object on the system. It is not possible to
prevent an *ALLOBJ user from accessing an object.
Special authorities
© HelpSystems. All Rights Reserved.12/28/2015 22
Factors that affect spool file security
• Special authorities
– *SPLCTL
– *JOBCTL
• Users’ authority to the outq itself
• Attributes of the outq
– Display data
– Authority check
– Operator control
© HelpSystems. All Rights Reserved.12/28/2015 23
Special authorities
• *SPLCTL
– Equivalent of *ALLOBJ for spooled files
– Cannot prevent someone with *SPLCTL from seeing any
spooled file on the system
• *JOBCTL
– If the OPRCTL attribute of outq is *YES (default) then
• Anyone with *JOBCTL can:
– Hold, change, delete, release the outq
– CHGOUTQ, CLROUTQ, HLDOUTQ, RLSOUTQ, STRPRTWTR, STRRMTWTR
– *JOBCTL and OPRCTL(*YES) allows management of the outq
itself but not the contents
© HelpSystems. All Rights Reserved.12/28/2015 24
Who can see the output – Display Data
(DSPDTA)• Controls who can run:
– Display Spooled File (DSPSPLF)
– Copy Spooled File (CPYSPLF)
– Send Spooled File (SNDNETSPLF)
– Change Spooled File Attributes (CHGSPLFA) to move the spooled file between outqs
• If DSPDTA = *NO (default) then one of the following must be trueto be able to display, send, or copy a spooled file owned by someone else: – OPRCTL is *YES, and user has *JOBCTL special authority
– AUTCHK is *DTAAUT and user has *CHANGE authority to outq
– AUTCHK *OWNER, and user trying to perform operation owns the outq
• If DSPDTA =*YES then– Users with *READ to the output queue can display, copy, or send a spooled file
owned by someone else.
– Remember *PUBLIC defaults to *CHANGE
• If DSPDTA = *OWNER then – Only the owner of the spooled file (or a user with *SPLCTL special authority) can
display, copy, send or move the file.
– If OPRCTL is *YES and the user has *JOBCTL, the user can manage the outq but not display the contents
© HelpSystems. All Rights Reserved.12/28/2015 25
Who can manage others’ spooled files
– Authority Check (AUTCHK)
• Controls who can run:
– Change Spooled File Attributes (CHGSPLFA)
– Delete Spooled File (DLTSPLF)
– Hold Spooled File (HLDSPLF)
– Release Spooled File (RLSSPLF)
– Change Output Queue (CHGOUTQ)
– Clear Output Queue (CLROUTQ)
– Hold Output Queue (HLDOUTQ)
– Release Output Queue (RLSOUTQ)
• If AUTCHK = *OWNER (default) then
– Only the owner of the outq can manage the spooled files of others
• If AUTCHK = *DTAAUT then
– Users with *READ, *ADD, and *DLT authority (or *CHANGE authority) to the
outq can manage spooled files owned by others.
© HelpSystems. All Rights Reserved.12/28/2015 26
Scenario 1
• HR Department prints reports with salary information. Only
the users in the HR Department should be able to see these
reports and manage how and when they're printed. Create
the outq with the following attributes:
CRTOUTQ OUTQ(HR_LIB/HR_OUTQ) DSPDTA(*YES)
OPRCTL(*NO) + AUTCHK(*OWNER) AUT(*EXCLUDE)
• Have the HR group own the outq so they can manage the
spooled files as well as start the writer to print the
documents.
CHGOBJOWN OBJ(HR_LIB/HR_OUTQ) OBJTYP(*OUTQ) +
NEWOWN(HR_GROUP)
© HelpSystems. All Rights Reserved.12/28/2015 27
Scenario 2
• Accounting Department prints confidential reports, but the
operators need to manage the spooled files and route them
to the writer loaded with the appropriate form. Create the
outq with the following attributes:
– CRTOUTQ OUTQ(ACCT_LIB/ACCT_OUTQ) DSPDTA(*OWNER) +
OPRCTL(*YES) AUTCHK(*OWNER) AUT(*EXCLUDE)
• Grant authority to Accounting so they can use the outq:
– GRTOBJAUT OBJ(ACCT_LIB/ACCT_OUTQ) OBJTYP(*OUTQ) +
USER(ACCT_GRP) AUT(*CHANGE)
© HelpSystems. All Rights Reserved.12/28/2015 28
Summary - leaving everything at the defaults
• Default settings
– DSPDTA(*NO)
– AUTCHK(*OWNER)
– OPRCTL(*YES)—
• Users with *JOBCTL can manage (start and stop) all writers
and spooled files (hold, release, etc.)
• Users who do not have *JOBCTL will only be able to see
and manage their own spooled files.
• Users with *SPLCTL can see all output and manage all
writers regardless of the outq settings.
© HelpSystems. All Rights Reserved.12/28/2015 29
General points
• Can always manage the spooled files you created
• Authorities on the queue apply to all spooled files in the
queue
– Cannot change the authority of a specific spooled file
• Spooled files are always owned by the profile creating the
spooled file
– Cannot change the ownership of an individual spooled file
© HelpSystems. All Rights Reserved.12/28/2015 30
IBM i Security Reference, Chapter 6
© HelpSystems. All Rights Reserved.12/28/2015 31
IBM i Security Reference, Appendix D
© HelpSystems. All Rights Reserved.
.
12/28/2015 32
Application Administration
© HelpSystems. All Rights Reserved.12/28/2015 33
Application Administration
• App Admin was created to provide a method of controlling
access to a function
• Can control access to features of i Navigator, Navigator for
i, i Access and functions on IBM i, including network access
such as ftp and ODBC
• You can create your own functions, register and control
them as well
© HelpSystems. All Rights Reserved.12/28/2015 34
© HelpSystems. All Rights Reserved.12/28/2015 35
Mask i Navigator options
© HelpSystems. All Rights Reserved.12/28/2015 36
Users can only see Basic Operations
© HelpSystems. All Rights Reserved.12/28/2015 37
i Navigator view – non-*ALLOBJ user
© HelpSystems. All Rights Reserved.12/28/2015 38
Customize access
© HelpSystems. All Rights Reserved.12/28/2015 39
Customize access – con’t
© HelpSystems. All Rights Reserved.12/28/2015 40
Access customized
© HelpSystems. All Rights Reserved.12/28/2015 41
Copy customization
© HelpSystems. All Rights Reserved.12/28/2015 42
Copy customization – con’t
© HelpSystems. All Rights Reserved.12/28/2015 43
Masking i Access features
© HelpSystems. All Rights Reserved.12/28/2015 44
Controlling IBM i functions
© HelpSystems. All Rights Reserved.12/28/2015 45
Allow users with *JOBCTL to view
*ALLOBJ joblogs
© HelpSystems. All Rights Reserved.12/28/2015 46
Controlling network access
Hint: TOOLBOX APPLICATION SERVER ACCESS = ODBC and JDBC
© HelpSystems. All Rights Reserved.12/28/2015 47
Controlling ODBC / JDBC
Available in V7R1 and PTFed to V6R1
© HelpSystems. All Rights Reserved.12/28/2015 48
App Admin in Navigator for i
© HelpSystems. All Rights Reserved.12/28/2015 49
Audit entry - GR
Once the App Admin configuration has been changed,
GR audit journal entries will be generated.
• *CHKUSAGE:
– Function usage was checked for a user and the check passed
• *USAGEFAILURE:
– Function usage was checked for a user and the check failed
© HelpSystems. All Rights Reserved.12/28/2015 50
WRKFCNUSG
© HelpSystems. All Rights Reserved.12/28/2015 51
Function Usage APIs
Add function checks to your own applications
http://publib.boulder.ibm.com/eserver/ibmi.htmlAPIs -> Security -> User function registration APIs
© HelpSystems. All Rights Reserved.12/28/2015 52
Questions?
www.helpsystems.com
www.helpsystems.com/professional-security-services
800-328-1000 | info@helpsystems.com
© HelpSystems. All Rights Reserved.12/28/2015 53
Thank you for joining me!
HOST & PRESENTER: Carol Woodbury
VP of Global Security Services