View
217
Download
0
Category
Tags:
Preview:
Citation preview
AS/400 SecurityAll you want to know about:
Jim Stracka
PentaSafe
Exit Programs
2
Outline
Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-
programs?If exit-programs don’t exit, why
are they called exit programs?
Sample exit program Limit file transfer and commands
Design Alternatives
3
1980s
Security Has Changed
TodayFixed
FunctionDisplays
Remote Systems
Internet
E-Commerce
Menu Security
OK
Menu security worked when users had no other access
Menu security ineffectivefor today’s environment
MenuSecurity
PC Users
PC
4
Other Access Data
Remote Systems
Internet
DDM (Distributed Data Management) File TransferRemote Commands
FTPFile TransferRemote Commands
Shared Folders
FTPFile TransferRemote Commands
TelnetIFS (Integrated File
System)
ExitProgram
Exit Programs can restrict requests
5
PC Access Data
Work-stationEmulation
Fixed function display
Printer Support Shared Folders & Documents Remote Commands File Transfer API - Data Queue API - ODBC IFS (Integrated File System)
Work Station
Menu Security
Messages
ExitProgram
Exit Programs can control
PC requests
PC
6
Why Exit Programs
Can object security be used to protect data?
YES AS/400 security can lock up data.
HOWEVER Security design often
makes security protection ineffective make security
ineffective
7
Why Exit Programs
What security designs make object security ineffective?
Group Profile Owns
Objects Production
Owner
GroupProfile
EndUser
EndUser
EndUser
Excessive Public
Authority
Production Data
*PUBLIC*ALL
Excessive Special
Authority
SPCAUT*ALLOBJ
Need to provide additional protection
8
Why Exit Programs
Users are authorized to data because of existing applications
Need exists to prevent the user from using their access outside of applications
Need to provide additional protection
EXIT PROGRAMS provide additional protection for application data
9
What are Exit ProgramsExit programs are installation provided programs used to supplement security
ExitProgram
Actions often performed in exit programs:
Monitor user activity
Modify user requests Assign user profile to anonymous sign-on Review request to determine if request meets installation rules
Reject requests that do not meet installation rules
The purpose of exit programs is not to exit
10
Request ProcessingIf these programs don’t exit, why are
they called “Exit Programs”?Exit
Program
Programs are called exit programs because the system (OS/400) exits to a user program in the middle of a request
request
1. Another system generates a request
AS/400Ser
ver
2. Server called to process request
Exit Program
3. Server calls “exit program” to validate request4. Server rejects or processes the request
11
Request Processing
AS/400Ser
ver
request
PARAMETERSAS/400 Server
User Exit Program
4
1
Server calls user exit program with parameters
2
Exit program analyzes the parameters
3
Exit program sets return code
Server rejects or performs the request based on exit program return code
12
Network Attributes
DDMACC PCSMACC
Specifying Exit Programs
How are exit programs specified?
There are two methods to name the exit programs
Limited number of request types- Distributed Data Management- PC support (Client Access)
One exit program per network attribute
Registration
Facility
Multiple request types-Distributed data-Client Access-Integrated File System-Internet (FTP, Telnet)-Security- ...
Multiple exits specific to function
13
DDMACC*OBJAUT - Request access determined by
object authority
*REJECT - Prevent all requests
Lib/Pgm - Qualified name of exit program
PCSACC
*OBJAUT - Request access determined by
object authority
*REJECT - Prevent all requests
*REGFAC - Use registration facility
Lib/Pgm - Qualified name of exit program
Specifying Exit Programs NetworkAttributes
CHGNETA DDMACC(lib/pgm) PCSACC(lib/pgm)
Must have *ALLOBJ special authority to change the network attributes
14
WRKREGINF
Specifying Exit Programs
Work with Registration Information Type options, press Enter. 5=Display exit point 8=Work with exit programs Exit Exit Point Opt Point Format Registered Text _ QIBM_QHQ_DTAQ DTAQ0100 *YES Original Data Queue Server _ QIBM_QJO_DLT_JRNRCV DRCV0100 *YES Delete Journal Receiver _ QIBM_QLZP_LICENSE LICM0100 *YES Original License Mgmt Server _ QIBM_QMF_MESSAGE MESS0100 *YES Original Message Server _ QIBM_QNPS_ENTRY ENTR0100 *YES Network Print Server - entry _ QIBM_QNPS_SPLF SPLF0100 *YES Network Print Server - spool _ QIBM_QOE_OV_USR_ADM UADM0100 *YES OfficeVision/400 Administrati _ QIBM_QOE_OV_USR_SND DOCI0900 *YES OfficeVision/400 Mail Send Ex _ QIBM_QOK_NOTIFY VRFY0100 *YES System Directory Notify Exit _ QIBM_QOK_SUPPLIER SUPL0100 *YES System Directory Supplier Exi _ QIBM_QOK_VERIFY VRFY0100 *YES System Directory Verify Exit More... Command ===> F3=Exit F4=Prompt F9=Retrieve F12=Cancel
8
RegistrationFacility
15
Work with Exit Programs Exit point: QIBM_QLZP_LICENSE Format: LICM0100 Type options, press Enter 1=Add 4=Remove 5=Display 10=Replace Exit Program Exit Opt Number Program Library _ ___________ ___________ (No exit programs found.) Bottom Command ===> F3=Exit F4=Prompt F5=Refresh F9=Retrieve F12=Cancel
Specifying Exit Programs
1 PROG1 MYLIB
When a request arrives PROG1
will be called
RegistrationFacility
16
Exit Points
What exit points are used for a specific request?
What are the parameters passed to an exit?
Exit points are documented in the following publications
Client Access (File transfer, ODBC)AS/400 Client Access Host Servers SC41-5740
Distributed Data Management (DDM, remote commands)AS/400 Distributed Data Management SC41-5307
Internet (Telnet, FTP)TCP/IP Configuration and Reference SC41-5420
SecuritySystem API Reference Security APIs SC41-5872
No good documentation
available
17
Outline
Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-programs?If exit-programs don’t exit, why
are they called exit programs?
Sample exit program Limit file transfer and commands
Design Alternatives
18
CALL EXIT (RTNCDE STRUCTURE)
Field Format SizeUser profile name Char 10Application name Char 10Function Char 10Object name Char 10Library name Char 10Object type Char 7Format name Char 10Variable data length Zoned 5, 0Variable data Char *
'0' NO'1' OK
Exit Programs
AS/400 Distributed Data Management SC41-5307Client Access Server Concepts SC41-5740
19
Applic function / operationation
*LMSR license management REQUEST RELEASE*VPRT virtual print EXTRACT CHECK OPEN
*TFRFCL file transfer SELECT JOIN REPLACE EXTRACT AS/400 -> PC retrieve information SELECT AS/400 -> PC download file JOIN AS/400 -> PC download joined file REPLACE PC --> AS/400 UPLOAD file
Operation code by Function
20
Applic function / operationation*FLRSRV shared folders type 2 CHANGE CREATE DELETE EXTRACT MOVE OPEN RENAME*MSGFCL messages SEND RECEIVE*DDM distributed data management ADDMBR DELETE RENAME CHANGE EXTRACT RGZMBR CHGMBR INITIALIZE RMVMBR CLEAR LOAD RNMMBR COMMAND COPY MOVE LOCK CREATE OPEN UNLOAD
Operation code by Function
SubmitRemote
Command
21
PGM PARM(&RTNCODE &DATA) DCL &DATA *CHAR 30 DCL &RTNCODE *CHAR 1 DCL &FUNC *CHAR 10 CHGVAR &FUNC (%SST(&DATA 21 10)) IF (&FUNC = 'COMMAND ') + THEN( CHGVAR &RTNCODE '0') ELSE CHGVAR &RTNCODE '1'ENDPGM
Prevent Remote Commands
2. Change network attributesCHGNETA DDMACC(STOPCMDS)
1. Create CL programCRTCLPGM STOPCMDS SRCFILE( )
23
MONMSG CPF0000 EXE(GOTO EXIT) /*If error exit*/ CHGVAR &RC '1' /*Allow request*/ CHGVAR &USER %SST(&STRU 1 10) /*Get user */ CHGVAR &APP1 %SST(&STRU 11 10) /*Get appl */ CHGVAR &APP2 %SST(&STRU 21 10) /*Get function */ /*Do not log IBM request to check license */ IF (&APP1 = '*LMSRV') GOTO EXIT IF &USER = 'XXXXXXXXX') GOTO LOG /* Prevent use of remote commands */ IF (&APP1 = '*DDM' *AND &APP2 = 'COMMAND') + CHGVAR &RC '0' /* Prevent the request */ ELSE /* Prevent file upload from PC users */ /* File download to PC is not prevented */ IF (&APP1 = '*TFRFCTL' *AND &APP2 = 'REPLACE') + CHGVAR &RC '0' /* Prevent the request */ /* Log request in the audit journal */LOG:CHGVAR &TYPE ( 'X' *CAT &RC) SNDJRNE QAUDJRN TYPE(&TYPE) &ENTDTA(&STRU)EXIT:ENDPGM
Good Way to Monitor Use
Exit Program ExamplePrevent Remote Commands and File Upload
2 of 2
24
The Exit Point Will Depend Upon the Operating Client Operating System
Exit Program Usage
File transfer fromOperating
SystemInter
activeAPI ODBC
DOS EXIT1 EXIT1 N/AWin3.1
EXIT1 EXIT1 EXIT2
Win95/98/NT
EXIT2 EXIT2 EXIT2
Description Exit Point EXIT1 = Original File Transfer QIBM_QTF_TRANSFER EXIT2 = Data Base Server QIBM_QZDA_NDB1
25
Original File Transfer
Windows 95 and
NT File Transfer
Exit Program Usage
EXIT1EXIT2
Two programs are required becauseparameters are different
Difficult to determine if request was upload or
download
32
Outline
Exit Program OverviewWhy do I need exit-programs?What is purpose of exit-programs?If exit-programs don’t exit, why
are they called exit programs?
Sample exit program Limit file transfer and commands
Design Alternatives
33
Exit Design Alternative
Compare to constant
IF (&USER = ’ELLEN ’)
Advantages• Excellent performance• Easy to determine program flow
Limitations• Must recompile program to make any change• Security specification uses a different technique
Constant
34
Exit Design Alternative
Read from File
Advantages• Good performance• Add and remove users without recompiling program
Limitations• Program logic more complex• Security specification uses a different technique
Exit Program Read
35
Exit Design Alternative
Authorization list users
Advantages• Good performance• Add and remove users without recompiling program• Security specification uses a same technique
Limitations• Program logic more complex
Exit Program
CHKOBJ
AuthorizationList
List ofUsers
36
IF COND(………………. ) THEN(DO)
CHKOBJ OBJ(QSYS/FILEREAD) + OBJTYPE(*AUTL) AUT(*USE)
MONMSG MSGID(CPF9800) + EXEC(CHGVAR &RC '0')
GOTO LOG ENDDO
Possible to check for different authorities *USE for Read actions *CHANGE for Update actions
Check an Authorization List
Exit Program
CHKOBJ
AuthorizationList
List ofUsers
37
File Transfer Transactions
*...+....1....+....2....+....3....+....4....+....5.... WOE *SQL ZDAI0100 WOE *RTVOBJINFZDAR0100X'1800' *USRLIBL WOE *SQLSRV ZDAQ0200X'180C' WOE *RTVOBJINFZDAR0100X'1805' WOE WOE *NDB ZDAD0100X'1802' SOURCE WOE *NDB ZDAD0100X'1805' SOURCE WOE *RTVOBJINFZDAR0100X'1804' WOE WOE *SQLSRV ZDAQ0200X'1803' WOE *SQLSRV ZDAQ0200X'1800' WOE *SQLSRV ZDAQ0200X'1805' WOE *NDB ZDAD0100X'1806' SOURCE
1. Request transferShows user library list
1
2
2. Select Library WOEShows files in library
3
3. Select file SOURCEShows member list
4
4. Specify add member SECOFR during the data transfer
Performs copy
38
39
SUMMARY
Menu security is not adequate to limit a user.
You must protect data from access via the other
Client Access servers:• FILE TRANSFER• REMOTE COMMANDS• FOLDER ACCESS
Use exit programs to supplement object security
40
Summary
Specifying exit program using network attributes is not recommended Increase overhead Network attributes a
limited set of exits
Use Registration Facility to specify exit programs
41
Information Sources
Exit Point Documentation Client Access (File transfer, ODBC)
AS/400 Client Access Host Servers SC41-5740 Distributed Data Management
(DDM, remote commands)AS/400 Distributed Data Management SC41-5307
Internet (Telnet, FTP)TCP/IP Configuration and Reference SC41-5420
SecuritySystem API Reference Security APIs SC41-5872
42
Information SourcesMANUALS
SC41-5300 Tips and Tools for Securing Your AS/400
SC41-5301 AS/400 Security Basic
SC41-5302 AS/400 Security Reference
Internet S325-6321 IBM Secure Way AS/400 and the Internet
G325-6321 AS/400 and the Internet
SG24-4929 AS/400 Internet Security: Protecting Your AS/400 from HARM on the Internet
43
More ? ?
Jim Stracka
j.stracka@pentasafe.com
www.pentasafe.com
713-860-9412 - direct
Recommended