Difference between revisions of "Security Basics"

From MidrangeWiki
Jump to: navigation, search
(Objects Owned)
 
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[Category:Security]]
 
[[Category:Security]]
See [[General Computer Security]] for info and links about Security outside of the 400.
+
See [[General Computer Security]] for info and links about Security outside of the IBM i community.
 +
== Security Tools ==
 +
* GO SECTOOLS
 +
* GO SECBATCH
 +
== Security Wizard ==
 +
* Access via [[Operations Navigator]]
 +
** Warning ... while this is for administrators new to IBM i or Security, before changing any security settings, it is advisable to consult with the most experienced IBM i security professional on-site.
 +
** You can change security settings, but while they are changed, they affect how objects function, including how they function after you change settings back again.
 
== Security [[Commands]] ==
 
== Security [[Commands]] ==
 
* Most functions of Security Commands, can also be done with [[Operations Navigator]]
 
* Most functions of Security Commands, can also be done with [[Operations Navigator]]
Line 16: Line 23:
 
* GO CMDPWD
 
* GO CMDPWD
 
* [[CHGPWD]] change password
 
* [[CHGPWD]] change password
* [[CHKPWD]] makes user re-enter password that was used to sign onto the 400
+
* [[CHKPWD]] makes user re-enter password that was used to sign onto the system
  
 
=== Object Authority ===
 
=== Object Authority ===
Line 31: Line 38:
  
 
=== Authorization List ===
 
=== Authorization List ===
 +
* GO CMDAUTL
 +
* [[ADDAUTLE]]
 +
* [[CRTAUTL]]
 +
* [[DLTAUTL]]
 +
* [[DSPAUTL]]
 +
* [[DSPAUTLOBJ]]
 +
* [[EDTAUTL]]
 +
* [[RMVAUTLE]]
 +
* [[WRKAUTL]]
 +
 
=== Adopted Authority ===
 
=== Adopted Authority ===
* [[DSPGMADP]] Display Program Adopt
+
* [[DSPPGMADP]] Display Program Adopt
 
** Specify a user profile and get a list of the programs that adopt that user's authority.
 
** Specify a user profile and get a list of the programs that adopt that user's authority.
 +
* [[PRTADJOBJ]] Print Adopting Objects
 +
** Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority.
  
== Security 400 Professionals ==
 
 
=== Wayne Evans ===
 
 
* Wayne O. Evans http://www.woevans.com/ is a former IBM 400 Security Architecture specialist http://woevans.freeyellow.com/WOEBIO.html who now has his own 400 Security Consulting firm
 
** He designed many of the security features of the 400 and its predecssor machines, also many 400 features in addition to security
 
** He advises us to get a more secure web browser than Microsoft IE
 
** He does 400 Security columns and seminars
 
*** He has a book out with a collection of his 400 Security articles
 
** OS/400 Security Education and Training
 
*** Security/400 FAQ
 
http://woevans.freeyellow.com/Qst_Ans.pdf
 
**** Biggest threats to overall 400 security
 
**** Best Practices
 
**** What can be done at the Sign On Screen
 
**** How secure are 400 passwords
 
**** Why security level 40
 
**** Security 400 auditing
 
**** [[Client Access]]
 
**** [[Operations Navigator]]
 
**** Exit Programs
 
**** Authorization Lists
 
**** ODBC
 
**** [[Encryption 400]]
 
**** How evaluate security software vendors
 
**** VPN interesting factoid
 
***** The use of VPN (Virtual Private Network) causes all traffic over the VPN to be encrypted.
 
***** [[User:Al Mac|Al Mac]] notes that this may not help if Spyware gets onto the PC of the person using VPN to access the 400
 
**** and lots more
 
 
*** Other downloads available http://www.woevans.com/My_Homepage_Files/Page3.html such as
 
**** step by step instructions to improve your 400 Security
 
**** sample Security Policy
 
**** Security related software
 
**** History of 400 and predecessor machines
 
** OS/400 Security Review Audit
 
** OS/400 Security Training
 
*** NetQ PentaSafe Training
 
** His links to Security 400 user groups, discussion forums, and related info http://www.woevans.com/My_Homepage_Files/Page1.html
 
*** 400 user groups in gneral http://www.woevans.com/usergroups.html
 
 
=== Milt Habek of UPI ===
 
 
Milt is CEO of Unbeaten Path International [[UPI]] http://www.unbeatenpathintl.com/ which markets many security solutions for the 400, and stuff for [[ERP]] such as [[BPCS]].
 
  
* IT Security Assurance Navigation http://www.unbeatenpathintl.com/ITsecure/source/1.html Has articles on
+
=== Spooled files ===
** why we need better security
+
The scenario: want to stop programmers from using a production OUTQ.
** gov regulation and compliance needs
 
* Sarbanes Oxley SOX Info
 
* Security Compliance Products from UPI http://www.unbeatenpathintl.com/compliancecatalog/source/1.html
 
** Bill of Health http://www.unbeatenpathintl.com/BOH/source/1.html
 
*** This software examines the security of your 400 and provides a report listing what needs to be fixed.  Then after you have resolved some issues, run it again.  Use this to document to auditors that you making progress with your 400 security remediation.
 
** [[BPCS]] Security Enhancements http://www.unbeatenpathintl.com/SOXstuffers/source/1.html
 
*** Auditor's Handbook http://www.unbeatenpathintl.com/audhand.html
 
**** Most [[ERP]] users have assumptions about how their software works, that can be unfounded, leading to a pattern of human error and misconceptions.  This manual addresses [[BPCS]] gotchas and such areas of common miconceptions to help an Audotr who may not be a [[BPCS]] expert see where to look to see if any given customer site has the kinds of errors typical to many [[BPCS]] sites.
 
*** Batten Down the Hatches http://www.unbeatenpathintl.com/battendown/source/1.html
 
**** [[BPCS}} has been around for a while, with many versions out there, whose security was Ok when they first came out, but as the computer security threat world has evolved, we have growing needs to alter how package security functions.
 
**** [[SSA]] has step by step instructions how to fix [[BPCS]] security, which can be a major ordeal to implement
 
**** or we can buy the UPI rapid implementation solution
 
*** By Invitation Only http://www.unbeatenpathintl.com/BIOnly-start/source/1.html
 
**** [[BPCS]] Security can be a pain in the neck to manage.  This product simplifies the task, and rapidly produces management-friendly reports.
 
*** Locksmith Archiving http://www.unbeatenpathintl.com/locksmith_bpcs/source/1.html
 
**** As we get more and more data, there can be performance problems, leading some sites to want to upgrade 400 to a faster box, in which the biggest expense can be a new CPU key from [[SSA]].
 
**** A much more economical solution is to archive from the [[BPCS]] files the oldest data, so it is still available if needed, but not a drag on performance when acceessing the most recent data
 
*** Many other [[BPCS]] enhancements to be written up in some section other than Security area
 
** No Seams for HIPPA electronic security http://www.unbeatenpathintl.com/HIPAAstart/source/1.html
 
** NO Seams for UCCNet Integrity from LANSA http://www.unbeatenpathintl.com/UCCnet-directapp.htm
 
** Stitch in Time http://www.unbeatenpathintl.com/award/source/1.html
 
*** This monitors who messed with critical data when doing what ... you decide which files and fields need monitoring
 
** Tight as a Drum http://www.unbeatenpathintl.com/tightasadrum/source/1.html
 
*** This addresses software change management
 
  
=== Sky View ===
+
If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES)
 +
parameter is specified on the OUTQ, the developers will be able to use
 +
and work with the OUTQ.  One way to correct this is to turn the OPRCTL
 +
parameter on the OUTQ to *NO.
  
One of the founders of Skyview is '''''Carol Woodbury''''', who is also one of the mothers of [[IBM]] 400 Security architecture, former Chief Security Architect for OS/400 for IBM and one of the leading authorities on OS/400 security.
+
Assuming programmers have *JOBCTL, here is what I would do....  
  
http://www.skyviewpartners.com/java-skyviewp/index.jsp
+
# Make the OUTQ *OPRCTL(*NO)
 +
# Create a Group Profile for all developers
 +
# Add the Group Profile to the OUTQ with an authority of *EXCLUDE
 +
# Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.)
 +
# If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well.  
  
Skyview offers 400 Security and [[General Computer Security]] info
+
Thanks to John Earl via Midrange-L 21 Apr 2010
* education
+
== Security System Values ==
* assessment
+
WRKSYSVAL SYSVAL(*SEC)
* security tools
+
Working with system values dealing with security should be done carefully.  One should read the latest information at the IBM Knowledge Center at [http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzarl/rzarlsysval.htm Security system values]
* remediation services
+
=== QPWDMAXLEN ===
* compliance info about gov regulations
+
In addition to the information available at [http://www.ibm.com/support/knowledgecenter/en/ssw_ibm_i_73/rzarl/rzarlmaxpwd.htm Maximum Length of Passwords (QPWDMAXLEN)] one should be aware of these considerations when going above 8 characters:
* white papers
+
* [http://www-01.ibm.com/support/docview.wss?uid=nas8N1012710 Configuring the IBM i SSH, SFTP, and SCP Clients to Use Public-Key Authentication]
 +
* There were some things dealing with "File Transfer Subroutine" (QY2FTML) but try to find documentation on that.
 +
* If you find any other concerns, then by all means, please update this page.

Latest revision as of 18:52, 24 August 2016

See General Computer Security for info and links about Security outside of the IBM i community.

Security Tools

  • GO SECTOOLS
  • GO SECBATCH

Security Wizard

  • Access via Operations Navigator
    • Warning ... while this is for administrators new to IBM i or Security, before changing any security settings, it is advisable to consult with the most experienced IBM i security professional on-site.
    • You can change security settings, but while they are changed, they affect how objects function, including how they function after you change settings back again.

Security Commands

User Profile

Password

  • GO CMDPWD
  • CHGPWD change password
  • CHKPWD makes user re-enter password that was used to sign onto the system

Object Authority

Objects Owned

Authorization List

Adopted Authority

  • DSPPGMADP Display Program Adopt
    • Specify a user profile and get a list of the programs that adopt that user's authority.
  • PRTADJOBJ Print Adopting Objects
    • Specify a user profile, *ALL or generic user(QP*) and get a printout of objects that adopt user's authority.


Spooled files

The scenario: want to stop programmers from using a production OUTQ.

If the developers have either *JOBCTL or *SPLCTL, and the OPRCTL(*YES) parameter is specified on the OUTQ, the developers will be able to use and work with the OUTQ. One way to correct this is to turn the OPRCTL parameter on the OUTQ to *NO.

Assuming programmers have *JOBCTL, here is what I would do....

  1. Make the OUTQ *OPRCTL(*NO)
  2. Create a Group Profile for all developers
  3. Add the Group Profile to the OUTQ with an authority of *EXCLUDE
  4. Give the authorized user Group(s) *CHANGE (authorized users could be *PUBLIC now that the programmers are excluded.)
  5. If there are any *JOBCTL or *SPLCTL users (SysOpers?) who you want to be able to manage the OUTQ, give them *CHANGE authority as well.

Thanks to John Earl via Midrange-L 21 Apr 2010

Security System Values

WRKSYSVAL SYSVAL(*SEC) Working with system values dealing with security should be done carefully. One should read the latest information at the IBM Knowledge Center at Security system values

QPWDMAXLEN

In addition to the information available at Maximum Length of Passwords (QPWDMAXLEN) one should be aware of these considerations when going above 8 characters: