Security Considerations for the Cloud - LISUG Security.pdf · How security differs between the IFS...

2/24/2014

1

Carol WoodburyPresident and Co-Founder

SkyView Partners, Inc

www.skyviewpartners.com

© Copyright SkyView Partners, Inc, 2014. All rights reserved.

Reasons for modifying IFS security

How security differs between the IFS and i5/OS

Tips for re-working security in the IFS

Auditing and the IFS

File shares


2/24/2014

2

More IBM products and third-party apps are implemented in file systems other than QSYS.LIB ◦ WebSphere

◦ iSeries Access

◦ Vendor apps – html for GUI interface, for example

Default access to root (‘/’) is the equivalent of *PUBLIC *ALL and allows inappropriate◦ Directory creation

◦ Storage of objects

PC backups, movies, music, pictures, etc

Files with private data are created and transmitted and need to be protected


All statements made apply to both /Root and /QOpenSys


2/24/2014

3

Same Different

Authority checking algorithm Authority names

*RWX vs *CHANGE

*PUBLIC authority Ignores QCRTAUT system

value

Can use authorization lists

and private authorities

Ignores ownership setting in

User profile

Ignores adopted authority

Need to look in different audit

fields


Authorities *RWX *RW *RX *R *WX *W *X

Object

*OBJMGT

*OBJEXIST

*OBJALTER

*OBJREF

*AUTLMGT

Data

*OBJOPR X X X X X X X

*READ X X X X

*ADD X X X X

*UPD X X X X

*DLT X X

*EXECUTE X X X X


2/24/2014

4

*RWX = Read/Write/Execute (*CHANGE)

*RW = Read/Write

*RX = Read/Execute (*USE)

*R = Read

*WX = Write/Execute

*W = Write

*X = Execute

Need:

• *R to read a file or to list the contents of a directory

• *W to write to a file or add a file to a directory

• *X to traverse through a directory, e.g., ‘/home/cjw’


Managing authorities and ownership

2/24/2014

5

CHGAUT – Change Authority command

Note: the command requires a pathname for the OBJ parameter


WRKAUT – Work with Authority command

Note: This is the recommended setting for ‘/’ Data authorities *RX, Object authorities *NONE


2/24/2014

6

Navigate to the file

Right click, choose Permissions


CHGOWN – Change Owner command


2/24/2014

7

Remember: Adopted authority is ignored

Authorize the appropriate user(s) or group(s) to the directory. Often authorizing the directory is sufficient

User has authorization through◦ *PUBLIC

◦ Individual (private) authority for user or group

◦ Primary group authority

◦ Authorization list


Identify directory(s) to be secured

Identify which users or processes are required to access the directories◦ Don’t forget manual processes, batch jobs, etc that write to

the directory

Determine how to give them authority◦ Prefer private aut to group or an autl list

Determine *PUBLIC authority setting◦ Usually *EXCLUDE


2/24/2014

8

What authorities are needed?◦ OBJAUT(*NONE) and DTAAUT(*X) to traverse all directories in a path ◦ OBJAUT(*NONE) and DTAAUT(*RX) to the directory to read or list the contents

◦ OBJAUT(*NONE) and DTAAUT(*RWX) to the directory to create objects into it◦ OBJAUT(*NONE) and DTAAUT(*WX) to the directory to rename or delete

objects

◦ OBJAUT (*OBJMGT) at the object level for objects to copy or rename◦ OBJAUT(*OBJEXIST) at the object level for objects to delete

IBM directories are generally OK◦ May want to secure ‘/home’ with OBJAUT(*NONE) DTAAUT(*RX) and create

directories for individuals

Do NOT remove private authorities granted to IBM profiles


Ignores QCRTAUT system value, so how is *PUBLIC set? Typically inherits ALL authorities of the directory it’s being created

into◦ Authorization list, *PUBLIC, private, etc

Exceptions:◦ CPYTOIMPF and CPYTOSTMF

Does not copy private authorities or AUTL

*PUBLIC and primary group are set to *EXCLUDE

Owner has *RWX

Need to change after the create using CHGAUT

◦ V6R1 provides better options on these commands – but not by default

◦ creat(), move(), mkdir() APIs where the authority can be specified


2/24/2014

9


When using CPYTOSTMF or CPYTOIMPF

Use the new options provided in V6R1

Insert CHGAUT, CHGOWN after CPYTO* command

Use SkyView Policy Minder to fix authorities and ownership


2/24/2014

10

(c) SkyView Partners, Inc, 2014. All Rights Reserved. 19

/Images/2014/Finance/January

/Images – Created by (therefore, owned by): Stephan

/Images/2014 – Owner: Pete, Private authority – Stephan

/Images/2014/Finance – Owner: Carol, Private authorities – Stephan, Pete

/Images/2014/Finance/January – Owner: John, Private auts – Stephan, Pete, Carol

/Images/2014/Finance/January/xxxxx.doc – Owner: App_Profile

Images will be owned by App_Profile and each will have a private authority for Stephan, Pett, Carol and John. Discover via PRTPRFINT (Print profile internals)

Auditing

2/24/2014

11

CHGAUD – Change Auditing command


*N in the Object Name field of an audit entry indicates the object is a pathname

Pathname is a 5002 character field at the end of the audit journal entry

Must use CPYAUDJRNE (Copy Audit Journal Entry) command to display ◦ See iSeries Security Reference manual, Appendix F for outfile

layout

◦ DSPAUDJRNE (Display Audit Journal Entry) does not support pathnames - *N


2/24/2014

12

23

IFS pathnames are not displayed

(c) SkyView Partners, Inc, 2014. All Rights Reserved.

24

Creates a file named QAUDITxx where xx is the journal entry type


2/24/2014

13

25


Make sure *CREATE and *DELETE are specified in QAUDLVL system value

Query for objects being created into or deleted out of directories◦ Hint: Query for all objects with *N as the Object Name

This tells you what authority is required for the process to write to the directory. ◦ *PUBLIC DTAAUT(*EXCLUDE) OBJAUT(*NONE)

◦ FTPDWNLOAD DTAAUT(*RX) OBJAUT(*NONE)

◦ FTPUPLOAD DTAAUT(*RWX) OBJAUT(*NONE)


2/24/2014

14

Miscellaneous

© Copyright SkyView Partners, Inc. 2014. All rights reserved.

File shares make the directory “available” to the network

Many systems have shared ‘/’

Manage file shares through System i Navigator

2/24/2014

15

Navigate to the directory

Right click

Choose Sharing, New sharing to define a new share

A hand underneath the folder indicates a share


Shares can be Read only or Read/Write Underlying i5/OS authorities on the object determine

final access

Hints for controlling: Secure the QZLSADFS (Add file share) and QZLSCHRS

(Change file share) APIs◦ Set to *PUBLIC *EXCLUDE

Add a $ to hide the share from Windows Network Neighborhood (won’t be broadcast/discoverable)e.g., root$


2/24/2014

16

No authority – no access to QSYS.LIB file system using Explorer or System i Navigator.

Ignored when using other interfaces, e.g., FTP or ODBC

Ships with *PUBLIC *USE

Consider *EXCLUDE when root is shared


Open the system name-> Network-> Servers-> TCP/IP

Right click on iSeries NetServer choose Properties


2/24/2014

17

Right click on NetServer.

Choose Open

Use this to discover sessions connecting through various file shares


Right click on NetServer.

Choose Disabled User IDs

• Only disabled NetServer profile NOT IBM i profile.

• Message CPIB682 sent to QSYSOPR for disabled NetServer users

• Enable through i Navigator or NetServer commands

http://www-03.ibm.com/systems/i/software/netserver/qusrtool.html


http://www-03.ibm.com/systems/i/software/netserver/qusrtool.html

2/24/2014

18

Click on the Security tab

Click on Next Start

Guest profiles allow users to connect to the system and access any *PUBLICALLY available object without an i5/OS signon


• White paper – “Virus Got you Down?” http://www.skyviewpartners.com/assets/Uploads/pdf/Virus-Got-You-Down.pdf

• IBM i Security Reference manual ◦ Appendix D

PTF MF55660 (changes how disabled NetServer profiles are enabled)

IBM i Security Administration and Compliance by Carol Woodbury


http://www.skyviewpartners.com/assets/Uploads/pdf/Virus-Got-You-Down.pdf

Date post:	13-Apr-2018
Category:	Documents
Upload:	truongnga
View:	219 times
Download:	6 times

Security Considerations for the Cloud - LISUG Security.pdf · How security differs between the IFS...

Documents