2/24/2014
1
Carol WoodburyPresident and Co-Founder
SkyView Partners, Inc
www.skyviewpartners.com
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Reasons for modifying IFS security
How security differs between the IFS and i5/OS
Tips for re-working security in the IFS
Auditing and the IFS
File shares
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
2
More IBM products and third-party apps are implemented in file systems other than QSYS.LIB ◦ WebSphere
◦ iSeries Access
◦ Vendor apps – html for GUI interface, for example
Default access to root (‘/’) is the equivalent of *PUBLIC *ALL and allows inappropriate◦ Directory creation
◦ Storage of objects
PC backups, movies, music, pictures, etc
Files with private data are created and transmitted and need to be protected
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
All statements made apply to both /Root and /QOpenSys
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
3
Same Different
Authority checking algorithm Authority names
*RWX vs *CHANGE
*PUBLIC authority Ignores QCRTAUT system
value
Can use authorization lists
and private authorities
Ignores ownership setting in
User profile
Ignores adopted authority
Need to look in different audit
fields
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Authorities *RWX *RW *RX *R *WX *W *X
Object
*OBJMGT
*OBJEXIST
*OBJALTER
*OBJREF
*AUTLMGT
Data
*OBJOPR X X X X X X X
*READ X X X X
*ADD X X X X
*UPD X X X X
*DLT X X
*EXECUTE X X X X
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
4
*RWX = Read/Write/Execute (*CHANGE)
*RW = Read/Write
*RX = Read/Execute (*USE)
*R = Read
*WX = Write/Execute
*W = Write
*X = Execute
Need:
• *R to read a file or to list the contents of a directory
• *W to write to a file or add a file to a directory
• *X to traverse through a directory, e.g., ‘/home/cjw’
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Managing authorities and ownership
2/24/2014
5
CHGAUT – Change Authority command
Note: the command requires a pathname for the OBJ parameter
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
WRKAUT – Work with Authority command
Note: This is the recommended setting for ‘/’ Data authorities *RX, Object authorities *NONE
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
6
Navigate to the file
Right click, choose Permissions
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
CHGOWN – Change Owner command
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
7
Remember: Adopted authority is ignored
Authorize the appropriate user(s) or group(s) to the directory. Often authorizing the directory is sufficient
User has authorization through◦ *PUBLIC
◦ Individual (private) authority for user or group
◦ Primary group authority
◦ Authorization list
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Identify directory(s) to be secured
Identify which users or processes are required to access the directories◦ Don’t forget manual processes, batch jobs, etc that write to
the directory
Determine how to give them authority◦ Prefer private aut to group or an autl list
Determine *PUBLIC authority setting◦ Usually *EXCLUDE
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
8
What authorities are needed?◦ OBJAUT(*NONE) and DTAAUT(*X) to traverse all directories in a path ◦ OBJAUT(*NONE) and DTAAUT(*RX) to the directory to read or list the contents
◦ OBJAUT(*NONE) and DTAAUT(*RWX) to the directory to create objects into it◦ OBJAUT(*NONE) and DTAAUT(*WX) to the directory to rename or delete
objects
◦ OBJAUT (*OBJMGT) at the object level for objects to copy or rename◦ OBJAUT(*OBJEXIST) at the object level for objects to delete
IBM directories are generally OK◦ May want to secure ‘/home’ with OBJAUT(*NONE) DTAAUT(*RX) and create
directories for individuals
Do NOT remove private authorities granted to IBM profiles
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Ignores QCRTAUT system value, so how is *PUBLIC set? Typically inherits ALL authorities of the directory it’s being created
into◦ Authorization list, *PUBLIC, private, etc
Exceptions:◦ CPYTOIMPF and CPYTOSTMF
Does not copy private authorities or AUTL
*PUBLIC and primary group are set to *EXCLUDE
Owner has *RWX
Need to change after the create using CHGAUT
◦ V6R1 provides better options on these commands – but not by default
◦ creat(), move(), mkdir() APIs where the authority can be specified
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
9
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
When using CPYTOSTMF or CPYTOIMPF
Use the new options provided in V6R1
Insert CHGAUT, CHGOWN after CPYTO* command
Use SkyView Policy Minder to fix authorities and ownership
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
10
(c) SkyView Partners, Inc, 2014. All Rights Reserved. 19
/Images/2014/Finance/January
/Images – Created by (therefore, owned by): Stephan
/Images/2014 – Owner: Pete, Private authority – Stephan
/Images/2014/Finance – Owner: Carol, Private authorities – Stephan, Pete
/Images/2014/Finance/January – Owner: John, Private auts – Stephan, Pete, Carol
/Images/2014/Finance/January/xxxxx.doc – Owner: App_Profile
Images will be owned by App_Profile and each will have a private authority for Stephan, Pett, Carol and John. Discover via PRTPRFINT (Print profile internals)
Auditing
2/24/2014
11
CHGAUD – Change Auditing command
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
*N in the Object Name field of an audit entry indicates the object is a pathname
Pathname is a 5002 character field at the end of the audit journal entry
Must use CPYAUDJRNE (Copy Audit Journal Entry) command to display ◦ See iSeries Security Reference manual, Appendix F for outfile
layout
◦ DSPAUDJRNE (Display Audit Journal Entry) does not support pathnames - *N
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
12
23
IFS pathnames are not displayed
(c) SkyView Partners, Inc, 2014. All Rights Reserved.
24
Creates a file named QAUDITxx where xx is the journal entry type
(c) SkyView Partners, Inc, 2014. All Rights Reserved.
2/24/2014
13
25
(c) SkyView Partners, Inc, 2014. All Rights Reserved.
Make sure *CREATE and *DELETE are specified in QAUDLVL system value
Query for objects being created into or deleted out of directories◦ Hint: Query for all objects with *N as the Object Name
This tells you what authority is required for the process to write to the directory. ◦ *PUBLIC DTAAUT(*EXCLUDE) OBJAUT(*NONE)
◦ FTPDWNLOAD DTAAUT(*RX) OBJAUT(*NONE)
◦ FTPUPLOAD DTAAUT(*RWX) OBJAUT(*NONE)
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
14
Miscellaneous
© Copyright SkyView Partners, Inc. 2014. All rights reserved.
File shares make the directory “available” to the network
Many systems have shared ‘/’
Manage file shares through System i Navigator
2/24/2014
15
Navigate to the directory
Right click
Choose Sharing, New sharing to define a new share
A hand underneath the folder indicates a share
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Shares can be Read only or Read/Write Underlying i5/OS authorities on the object determine
final access
Hints for controlling: Secure the QZLSADFS (Add file share) and QZLSCHRS
(Change file share) APIs◦ Set to *PUBLIC *EXCLUDE
Add a $ to hide the share from Windows Network Neighborhood (won’t be broadcast/discoverable)e.g., root$
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
16
No authority – no access to QSYS.LIB file system using Explorer or System i Navigator.
Ignored when using other interfaces, e.g., FTP or ODBC
Ships with *PUBLIC *USE
Consider *EXCLUDE when root is shared
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Open the system name-> Network-> Servers-> TCP/IP
Right click on iSeries NetServer choose Properties
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
17
Right click on NetServer.
Choose Open
Use this to discover sessions connecting through various file shares
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
Right click on NetServer.
Choose Disabled User IDs
• Only disabled NetServer profile NOT IBM i profile.
• Message CPIB682 sent to QSYSOPR for disabled NetServer users
• Enable through i Navigator or NetServer commands
http://www-03.ibm.com/systems/i/software/netserver/qusrtool.html
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
2/24/2014
18
Click on the Security tab
Click on Next Start
Guest profiles allow users to connect to the system and access any *PUBLICALLY available object without an i5/OS signon
© Copyright SkyView Partners, Inc, 2014. All rights reserved.
• White paper – “Virus Got you Down?” http://www.skyviewpartners.com/assets/Uploads/pdf/Virus-Got-You-Down.pdf
• IBM i Security Reference manual ◦ Appendix D
PTF MF55660 (changes how disabled NetServer profiles are enabled)
IBM i Security Administration and Compliance by Carol Woodbury
© Copyright SkyView Partners, Inc, 2014. All rights reserved.