Difference between revisions of "Security Basics"

From MidrangeWiki
Jump to: navigation, search
(Wayne Evans)
 
(28 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
See [[General Computer Security]] for info and links about Security outside of the 400.
+
See [[General Computer Security]] for info and links about Security outside of the IBM i community.
 +
== Security Tools ==
 +
* GO SECTOOLS
 +
* GO SECBATCH
 +
== Security Wizard ==
 +
* Access via [[Operations Navigator]]
 +
** Warning ... while this is for administrators new to IBM i or Security, before changing any security settings, it is advisable to consult with the most experienced IBM i security professional on-site.
 +
** You can change security settings, but while they are changed, they affect how objects function, including how they function after you change settings back again.
 +
== Security [[Commands]] ==
 +
* Most functions of Security Commands, can also be done with [[Operations Navigator]]
 +
=== User Profile ===
 +
* GO CMDPRF
 +
* GO CMDUSR
 +
* [[CHGPRF]]
 +
* [[CHGUSRPRF]]
 +
* [[CRTUSRPRF]]
 +
* [[DSPUSRPRF]]
 +
* [[DSPAUTUSR]]
 +
* [[WRKUSRPRF]]
  
== Security 400 Professionals ==
+
=== Password ===
 +
* GO CMDPWD
 +
* [[CHGPWD]] change password
 +
* [[CHKPWD]] makes user re-enter password that was used to sign onto the system
  
=== Wayne Evans ===
+
=== Object Authority ===
 +
* GO CMDAUT
 +
* [[GRTOBJAUT]]
 +
* [[RVKOBJAUT]]
 +
* [[GRTUSRAUT]]
 +
* [[EDTOBJAUT]]
  
* Wayne O. Evans http://www.woevans.com/ is a former IBM 400 Security Architecture specialist who now has his own 400 Security Consulting firm
+
=== Objects Owned ===
** He advises us to get a more secure web browser than Microsoft IE
+
* GO CMDOWN
** He does 400 Security columns and seminars
+
* [[CHGOBJOWN]]
** OS/400 Security Education and Training
+
* [[WRKOBJOWN]]
*** Security/400 FAQ http://woevans.freeyellow.com/Qst_Ans.pdf
 
** OS/400 Security Review Audit
 
** OS/400 Security Training
 
*** NetQ PentaSafe Training
 
  
=== Milt Habek ===
+
=== Authorization List ===
 +
* GO CMDAUTL
 +
* [[ADDAUTLE]]
 +
* [[CRTAUTL]]
 +
* [[DLTAUTL]]
 +
* [[DSPAUTL]]
 +
* [[DSPAUTLOBJ]]
 +
* [[EDTAUTL]]
 +
* [[RMVAUTLE]]
 +
* [[WRKAUTL]]
  
Milt is CEO of UPI which markets many security solutions for the 400
+
=== Adopted Authority ===
 +
* [[DSPPGMADP]] Display Program Adopt
 +
** Specify a user profile and get a list of the programs that adopt that user's authority.
 +
* [[PRTADJOBJ]] Print Adopting Objects
 +
** Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority.
 +
 
 +
 
 +
=== Spooled files ===
 +
The scenario: want to stop programmers from using a production OUTQ.
 +
 
 +
If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES)
 +
parameter is specified on the OUTQ, the developers will be able to use
 +
and work with the OUTQ.  One way to correct this is to turn the OPRCTL
 +
parameter on the OUTQ to *NO.
 +
 
 +
Assuming programmers have *JOBCTL, here is what I would do....
 +
 
 +
# Make the OUTQ *OPRCTL(*NO)
 +
# Create a Group Profile for all developers
 +
# Add the Group Profile to the OUTQ with an authority of *EXCLUDE
 +
# Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.)
 +
# If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well.
 +
 
 +
Thanks to John Earl via Midrange-L 21 Apr 2010
 +
== Security System Values ==
 +
WRKSYSVAL SYSVAL(*SEC)
 +
Working with system values dealing with security should be done carefully.  One should read the latest information at the IBM Knowledge Center at [http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzarl/rzarlsysval.htm Security system values]
 +
=== QPWDMAXLEN ===
 +
In addition to the information available at [http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzarl/rzarlmaxpwd.htm Maximum Length of Passwords (QPWDMAXLEN)] one should be aware of these considerations when going above 8 characters:
 +
* [http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710 Configuring the IBM i SSH, SFTP, and SCP Clients to Use Public-Key Authentication]
 +
* There were some things dealing with "File Transfer Subroutine" (QY2FTML) but try to find documentation on that.
 +
* If you find any other concerns, then by all means, please update this page.

Latest revision as of 18:52, 24 August 2016

See General Computer Security for info and links about Security outside of the IBM i community.

Security Tools

  • GO SECTOOLS
  • GO SECBATCH

Security Wizard

  • Access via Operations Navigator
    • Warning ... while this is for administrators new to IBM i or Security, before changing any security settings, it is advisable to consult with the most experienced IBM i security professional on-site.
    • You can change security settings, but while they are changed, they affect how objects function, including how they function after you change settings back again.

Security Commands

User Profile

Password

  • GO CMDPWD
  • CHGPWD change password
  • CHKPWD makes user re-enter password that was used to sign onto the system

Object Authority

Objects Owned

Authorization List

Adopted Authority

  • DSPPGMADP Display Program Adopt
    • Specify a user profile and get a list of the programs that adopt that user's authority.
  • PRTADJOBJ Print Adopting Objects
    • Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority.


Spooled files

The scenario: want to stop programmers from using a production OUTQ.

If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES) parameter is specified on the OUTQ, the developers will be able to use and work with the OUTQ. One way to correct this is to turn the OPRCTL parameter on the OUTQ to *NO.

Assuming programmers have *JOBCTL, here is what I would do....

  1. Make the OUTQ *OPRCTL(*NO)
  2. Create a Group Profile for all developers
  3. Add the Group Profile to the OUTQ with an authority of *EXCLUDE
  4. Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.)
  5. If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well.

Thanks to John Earl via Midrange-L 21 Apr 2010

Security System Values

WRKSYSVAL SYSVAL(*SEC) Working with system values dealing with security should be done carefully. One should read the latest information at the IBM Knowledge Center at Security system values

QPWDMAXLEN

In addition to the information available at Maximum Length of Passwords (QPWDMAXLEN) one should be aware of these considerations when going above 8 characters: