Security and Security System Values Chapter 11 Security and Security System Values
Security Two Broad Areas Physical security. Data security. Understanding AS/400 System Operations
Data Security Three Broad Areas System level. User profiles. Object. Understanding AS/400 System Operations
Understanding AS/400 System Operations System Security Level QSECURITY: Security Level 20: (SL20). User ID and password required. Full access. Security Level 30: (SL30). Complete system security. Valid user ID and password required. Access to objects by authority. Most common. Understanding AS/400 System Operations
Understanding AS/400 System Operations System Security Level Security Level 40: (SL40). Level 30 plus. Prevents applications from using “unauthorized” low-level programming techniques. Security Level 50: (SL50). “C2” - Department of Defense. Only access given explicit access. Programs abnormal end if access low-level functions. Programs abnormal end access AS/400 APIs or functions. Understanding AS/400 System Operations
Understanding AS/400 System Operations User Profiles All user profiles reside in system library, QSYS. Understanding AS/400 System Operations
Understanding AS/400 System Operations User Profile Defines Basic security information. Special authorities granted. Job processing information: Job queue. Output queue. Initial program or menu to call. Current library. Understanding AS/400 System Operations
Components of a User Profile Understanding AS/400 System Operations
IBM Default User Profiles Security Officer. QSECOFR. Unlimited access to objects. System Administrator. No profile provided. Creating and maintaining user profiles. Understanding AS/400 System Operations
IBM Default User Profiles System Operator. QSYSOPR. Control jobs, print files. Backup and restore functions. Programmers. QPGMR. Broad access to development libraries. Users. QUSER. End User. Understanding AS/400 System Operations
Special Service User Profiles QSRV Services (all functions). This is the profile that the person who services the AS/400 will use. QSRVBAS Services (limited functions). Understanding AS/400 System Operations
Additional IBM-supplied User Profiles Not To Used By User. Used Internally To Do Special Functions. QAUTPROF IBM general authority profile. QBRMS Backup Recovery Media (BRM) profile. QDBSHR Database share profile. Understanding AS/400 System Operations
Additional IBM-supplied User Profiles QDFTOWN All objects on the AS/400 must be owned by a legitimate user. If a user profile is no longer valid its objects’ ownership are changed to QDFTOWN. QDOC Document Profile. QDSNX Distributed system node executive. Understanding AS/400 System Operations
Additional IBM-supplied User Profiles QFNC Finance Profile. QGATE User profile to bridge into PROFS. (VM/MVS on mainframes). QLPAUTO Licensed program auto- installation user. QLPINSTALL Licensed program installation user. Understanding AS/400 System Operations
Additional IBM-supplied User Profiles QMSF Mail server framework profile. QNETSPLF Network spooling profile. QNFSANON NFS user profile. QSNADS SNADS user. QSPL Spooling user. QSPLJOB Spooling readers/writers job user profile. Understanding AS/400 System Operations
Additional IBM-supplied User Profiles QSYS Internal system user. QTCP TCP/IP user. Understanding AS/400 System Operations
Understanding AS/400 System Operations Special Authorities Special authorities are user-based. Here is what they do: *ALLOBJ: Can do anything to any object. Reserved for SECOFR. Overrides all private/public authorities. *AUDIT: Control auditing. *IOSYSCFG: Change system configuration issues. Understanding AS/400 System Operations
Understanding AS/400 System Operations Special Authorities *JOBCTL: Manage jobs running on the system. Given to system operators. *SAVSYS: Perform backup/restore. Understanding AS/400 System Operations
Understanding AS/400 System Operations Special Authorities *SECADM: Create and alter user profiles. *SECADM allows a user to: Create, change, and delete user profiles. Add user to distribution list. Work with access to documents/folders. Control access to the system. Change security-related system values and network attributes. Understanding AS/400 System Operations
Understanding AS/400 System Operations Special Authorities *SERVICE: Service and dump functions. Run service functions like System Service Tools (SST). *SPLCTL: Manage output queues. Can browse only output queues not restricted. Understanding AS/400 System Operations
Understanding AS/400 System Operations User Class User default special authorities controls menu options. *SECOFR *SECADM *PGMR *SYSOPR *USER Understanding AS/400 System Operations
Class Special Authorities Figure 11-1: Special authorities granted to user classes in SL20 AS/400s. Understanding AS/400 System Operations
Class Special Authorities Figure 11-2: special authorities granted to user classes in all other AS/400 security levels. Understanding AS/400 System Operations
Object Security (Authorities) Users named on object in several forms: Ownership. Named users & specific authorities. Authorization lists. Public authority. Understanding AS/400 System Operations
Ownership – Single and Group Four categories: Person who created object. Previous owners’ authorities. Group user profile of creator. User ownership transferred to. Understanding AS/400 System Operations
Object Management Authorities Operational can use as determined by other specific authorities. Management can specify security for the object, can move or rename it. Existence can delete the object, change owner, free storage, perform save/restore functions on object. Authority List Management can attach an authority list to objects. Alter can change attributes of database files or add/remove stored triggers. Reference. can name a database table as the parent in a referential integrity situation. Understanding AS/400 System Operations
Understanding AS/400 System Operations Data Authorities *READ Can read contents of objects. *ADD Can add to contents of objects. *UPD Can change contents of objects. *DLT Can delete all/part of object contents. *EXECUTE Can execute object. Understanding AS/400 System Operations
Four Pre-defined Specific Authorities *ALL All management and all data authorities. *CHANGE User operational authority and all data authorities. *USE Operational, read, and execute authorities. Can not add/ change/delete object’s contents. *EXCLUDE No access. Understanding AS/400 System Operations
Understanding AS/400 System Operations Figure 11-3: System authority structure. Understanding AS/400 System Operations
Understanding AS/400 System Operations Adopted Authority Methods to adopt authority in one of two ways: On program creation, by specifying it on the USRPRF parameter. After the program has been created with the Change Program (CHGPGM) command: CHGPGM <library/program name> + USEADPAUT(*yes) Understanding AS/400 System Operations
System Values and System Security QAUDLVL—Keeping a Security Audit QAUTOVRT—Auto configuration of Virtual Devices QDSPSGNINF—Sign-on display information control QINACTITV—Inactive Job Time-out Interval Understanding AS/400 System Operations
System Values and System Security QINACTMSGQ—Inactive Job Message Queue QLMTDEVSSN—Limits Device Sessions QLMTSECOFR—Limits Security Officer device access QMAXSIGN—Maximum Sign-On Attempts Understanding AS/400 System Operations
System Values and System Security QMAXSGNACN—Maximum Sign-On Failed Action QPWDEXPITV—Password Expiration Interval QPWDLMAJC—Limit Adjacent Characters In Password Understanding AS/400 System Operations
System Values and System Security QPWDLMREP—Limit Repeated Characters In Password QPWDLMTCHR—Invalid Password Characters QPWDMAXLEN—Maximum Password Length Understanding AS/400 System Operations
System Values and System Security QPWDMINLEN—Minimum Password Length QPWDPOSDIP—Force All New Password Characters to Be Different QPWDRQDDGT—Force the Use of at Least One Number In a Password Understanding AS/400 System Operations
System Values and System Security QPWDRQDDIF—Expired Password Must Be Changed QPWDVLDPGM—User Program to Validate Passwords QRETSVRSEC—Retain Server Security Data QSECURITY—Security Level QUSEADPAUT—Use Adopted Authority Understanding AS/400 System Operations
Understanding AS/400 System Operations Security Menu SECURITY Security System: BIGBLUE Select one of the following: 1. Work with object authority 2. Work with authorization lists 3. Office security 4. Change your password 5. Change your user profile 6. Work with user profiles 7. Work with system values 8. Security tools 70. Related commands Selection or command ===>___________________________________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel F13=Information Assistant F16=AS/400 Main menu (C) COPYRIGHT IBM CORP. 1980, 1998. Figure 11-4: Security menu. Understanding AS/400 System Operations
Changing Default User IDs Password Change Passwords for IBM-Supplied Users System: BIGBLUE Type new password below for IBM-supplied user, type password again to verify change, then press Enter. New security officer (QSECOFR) password . . . . . . . . . . New password (to verify) . . . . . . . . . . . . . . . . . New system operator (QSYSOPR) password . . . . . . . . . . . New programmer (QPGMR) password . . . . . . . . . . . . . . New user (QUSER) password . . . . . . . . . . . . . . . . . New service (QSRV) password . . . . . . . . . . . . . . . . More... F1=Help F3=Exit F5=Refresh F12=Cancel Figure 11-5: Screen from Setup menu to change IBM-supplied passwords. Understanding AS/400 System Operations
User-profile Commands CRTUSRPRF - Create user profile. CHGUSRPRF - Change user profile. DLTUSRPRF - Delete user profile. DSPUSRPRF - Display user profile. RSTUSRPRF - Restore user profile. RTVUSRPRF - Retrieve user profile information (CL PGMs only). Understanding AS/400 System Operations
Create User Profile Screen 1 Create User Profile (CRTUSRPRF) Type choices, press Enter. User profile . . . . . . . . . . Name User password . . . . . . . . . *USRPRF Name, *USRPRF, *NONE Set password to expired . . . . *NO *NO, *YES Status . . . . . . . . . . . . . *ENABLED *ENABLED, *DISABLED User class . . . . . . . . . . . *USER *USER, *SYSOPR, *PGMR... Assistance level . . . . . . . . *SYSVAL *SYSVAL, *BASIC, *INTERMED... Current library . . . . . . . . *CRTDFT Name, *CRTDFT Initial program to call . . . . *NONE Name, *NONE Library . . . . . . . . . . . Name, *LIBL, *CURLIB Initial menu . . . . . . . . . . MAIN Name, *SIGNOFF Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB Limit capabilities . . . . . . . *NO *NO, *PARTIAL, *YES Text 'description' . . . . . . . *BLANK _________________________ Bottom F3=Exit F4=Prompt F5=Refresh F10=Additional parameters F12=Cancel F13=How to use this display F24=More keys Figure 11-6: Prompted version of command CRTUSRPRF (screen 1). Understanding AS/400 System Operations
Create User Profile Screen 2 Create User Profile (CRTUSRPRF) Type choices, press Enter. Additional Parameters Special authority . . . . . . . *USRCLS *USRCLS, *NONE, *ALLOBJ... + for more values Special environment . . . . . . *SYSVAL *SYSVAL, *NONE, *S36 Display sign-on information . . *SYSVAL *SYSVAL, *NO, *YES Password expiration interval . . *SYSVAL 1-366, *SYSVAL, *NOMAX Limit device sessions . . . . . *SYSVAL *SYSVAL, *YES, *NO Keyboard buffering . . . . . . . *SYSVAL *SYSVAL, *NO, *TYPEAHEAD... Maximum allowed storage . . . . *NOMAX Kilobytes, *NOMAX Highest schedule priority . . . 3 0-9 Job description . . . . . . . . QDFTJOBD Name Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB Group profile . . . . . . . . . *NONE Name, *NONE Owner . . . . . . . . . . . . . *USRPRF *USRPRF, *GRPPRF More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-7: Prompted version of command CRTUSRPRF-Additional Parameters (screens 2 of 4). Understanding AS/400 System Operations
Create User Profile Screen 3 Create User Profile (CRTUSRPRF) Type choices, press Enter. Group authority . . . . . . . . *NONE *NONE, *ALL, *CHANGE, *USE... Group authority type . . . . . . *PRIVATE *PRIVATE, *PGP Supplemental groups . . . . . . *NONE Name, *NONE + for more values Accounting code . . . . . . . . *BLANK Document password . . . . . . . *NONE Name, *NONE Message queue . . . . . . . . . *USRPRF Name, *USRPRF Library . . . . . . . . . . . Name, *LIBL, *CURLIB Delivery . . . . . . . . . . . . *NOTIFY *NOTIFY, *BREAK, *HOLD, *DFT Severity code filter . . . . . . 0 0-99 Print device . . . . . . . . . . *WRKSTN Name, *WRKSTN, *SYSVAL Output queue . . . . . . . . . . *WRKSTN Name, *WRKSTN, *DEV Attention program . . . . . . . *SYSVAL Name, *NONE, *SYSVAL, *ASSIST More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-7: Prompted version for command CRTUSRPRF (screen 3 of 4). Understanding AS/400 System Operations
Create User Profile Screen 4 Create User Profile (CRTUSRPRF) Type choices, press Enter. Sort sequence . . . . . . . . . *SYSVAL Name, *SYSVAL, *HEX... Library . . . . . . . . . . . Name, *LIBL, *CURLIB Language ID . . . . . . . . . . *SYSVAL *SYSVAL... Country ID . . . . . . . . . . . *SYSVAL *SYSVAL... Coded character set ID . . . . . *SYSVAL *SYSVAL, *HEX... Character identifier control . . *SYSVAL *SYSVAL, *DEVD, *JOBCCSID Locale job attributes . . . . . *SYSVAL *SYSVAL, *NONE, *CCSID... + for more values Locale . . . . . . . . . . . . . *SYSVAL User options . . . . . . . . . . *NONE *NONE, *CLKWD, *EXPERT... User ID number . . . . . . . . . *GEN 1-4294967294, *GEN Group ID number . . . . . . . . *NONE 1-4294967294, *NONE, *GEN Home directory . . . . . . . . . *USRPRF More... F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-9: Partial prompted version for command CRTUSRPRF (screens 4 of 4). Understanding AS/400 System Operations
Object Security Screen 1 Edit Object Authority Object . . . . . . . : MSTFLE Owner . . . . . . . : NEWGRP Library . . . . . : MDAWSON Primary group . . . : *NONE Object type . . . . : *FILE Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object User Group Authority NEWGRP *ALL *PUBLIC *CHANGE Figure 11-10: Displaying object authority on MSTFLE. Understanding AS/400 System Operations
Object Security Screen 2 Edit Object Authority Object . . . . . . . : MSTFLE Owner . . . . . . . : MDAWSON Library . . . . . : MDAWSON Primary group . . . : *NONE Object type . . . . : *FILE Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object User Group Authority NEWGRP *ALL MDAWSON *CHANGE *PUBLIC *CHANGE Figure 11-11: Displaying object MSTFLE’s authorities. Understanding AS/400 System Operations
Object Security Screen 3 Edit Object Authority Object . . . . . . . : MSTFLE Owner . . . . . . . : MDAWSON Library . . . . . : MDAWSON Primary group . . . : NEWGRP Object type . . . . : *FILE Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object User Group Authority NEWGRP *ALL MDAWSON *CHANGE *PUBLIC *CHANGE Figure 11-11: Displaying object MSTFLE’s authorities. Understanding AS/400 System Operations
Edit Object Authority Understanding AS/400 System Operations Edit Object Authority (EDTOBJAUT) Type choices, press Enter. Object . . . . . . . . . . . . . OPRLIB Name Library . . . . . . . . . . . *LIBL Name, *LIBL, *CURLIB Object type . . . . . . . . . . *LIB *ALRTBL, *AUTL, *BNDDIR... Bottom F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys Figure 11-13: The Edit Object Authority screen. Understanding AS/400 System Operations
OPRLIB Object Authorities Edit Object Authority Object . . . . . . . : OPRLIB Owner . . . . . . . : HOHLY#M Library . . . . . : QSYS Primary group . . . : *NONE Object type . . . . : *LIB Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object User Group Authority HOHLY#M *ALL____ QSYSOPR USER DEF OPR0060 *CHANGE_ OPR0059 *USE____ *PUBLIC *EXCLUDE Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Display detail object authorities F12=Cancel F17=Top F18=Bottom Figure 11-14: Object authorities of the OPRLIB. Point out that different uses have authorities to this object. The authorities show are predefined authorities. Next screen we will define authorities. Understanding AS/400 System Operations
OPRLIB Object Authorities Edit Object Authority Object . . . . . . . : OPRLIB Owner . . . . . . . : HOHLY#M Library . . . . . : QSYS Primary group . . . : *NONE Object type . . . . : *LIB Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object ----------Object----------- User Group Authority Opr Mgt Exist Alter Ref HOHLY#M *ALL X X X X X QSYSOPR USER DEF X _ _ _ _ OPR0060 *CHANGE X _ _ _ _ OPR0059 *USE X _ _ _ _ *PUBLIC *EXCLUDE _ _ _ _ _ Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Display data authorities F12=Cancel F17=Top F18=Bottom Figure 11-15: Object authorities of the OPRLIB. Point out the object authorities associated to the pre-defined authorities. Understanding AS/400 System Operations
OPRLIB Object Authorities Edit Object Authority Object . . . . . . . : OPRLIB Owner . . . . . . . : HOHLY#M Library . . . . . : QSYS Primary group . . . : *NONE Object type . . . . : *LIB Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . *NONE Object ---------------Data--------------- User Group Authority Read Add Update Delete Execute HOHLY#M *ALL X X X X X QSYSOPR USER DEF X _ _ _ _ OPR0060 *CHANGE X X X X X OPR0059 *USE X _ _ _ X *PUBLIC *EXCLUDE _ _ _ _ _ Bottom F3=Exit F5=Refresh F6=Add new users F10=Grant with reference object F11=Nondisplay detail F12=Cancel F17=Top F18=Bottom Figure 11-15: Data authorities of the OPRLIB. Point out the data authorities associated to the pre-defined authorities. Understanding AS/400 System Operations
Sample Authorization List Edit Authorization List Object . . . . . . . : MCAUTLST Owner . . . . . . . : PGM Library . . . . . : QSYS Primary group . . . : *NONE Type changes to current authorities, press Enter. Object List User Authority Mgt PGM *ALL X BWEBER *USE _ HOHLY#M *ALL____ _ *PUBLIC *EXCLUDE _ Figure 11-17: Sample authorization list, MCAUTLST, displayed using the EDTAUTL command. Understanding AS/400 System Operations
Authorization List Objects Display Authorization List Objects Authorization list . . . . . . . . : MCAUTLST Library . . . . . . . . . . . . : QSYS Owner . . . . . . . . . . . . . . : PGM Primary group . . . . . . . . . . : *NONE Primary Object Library Type Owner group Text ONERPGPGM MDAWSON *PGM PGM *NONE One RPG program STARTUP MDAWSON *PGM PGM *NONE PROGRAM to start sub Figure 11-17: Result of pressing F15 from Figure 11-17—EDTAUTL. Objects that use the authorization list MCAUTLST. Understanding AS/400 System Operations
Understanding AS/400 System Operations Object Authority Edit Object Authority Object . . . . . . . : STARTUP Owner . . . . . . . : PGM Library . . . . . : MDAWSON Primary group . . . : *NONE Object type . . . . : *PGM Type changes to current authorities, press Enter. Object secured by authorization list . . . . . . . . . . . . MCAUTLST Object User Group Authority JJCRONEY *ALL *GROUP PGM *ALL *PUBLIC *EXCLUDE Figure 11-19: Object authority from object viewpoint. Understanding AS/400 System Operations