IFS Security Considerations - gomitec.com Considerations ... //testcase.boulder.ibm.com/as400/fromibm/ApiSamples/ifstool.savf. ... (Display Audit Journal Entry) does not support

www.skyviewpartners.com

Copyright SkyView Partners, 2006. All Rights Reserved 1


World Class Security Experts

© Copyright 2006 SkyView Partners Inc. All rights reserved.

Security Considerationsfor the IFS

Carol Woodbury, President and Co-Founder

SkyView Partners, Inc

[email protected]

www.skyviewpartners.com2© Copyright 2006 SkyView Partners Inc. All rights reserved.

Agenda

n Why you should care about security in the IFS

n How security differs between the IFS and OS/400

n Tools to manage security in the IFS

n Auditing and the IFS

n File shares




Why Should I Care?

n More IBM products and third-party apps are implemented in file systems other than QSYS.LIB n WebSpheren Webserversn iSeries Access

n Default access is the equivalent of *PUBLIC *ALL allows inappropriaten Directory creation

n Storage of objectsn PC backupsn Moviesn Musicn Pictures, etc


What is Meant by the IFS




IFS Security Compared to i5/OS Security

Ignores adopted authority

Need to look in different audit fields

Ignores ownership setting in User profile

Can use authorization lists and private authorities

Ignores QCRTAUT system value

Has *PUBLIC authority

Authority names

*RWX vs *CHANGE

Authority checking algorithm

DifferentSame


IFS Authorities

XXXX*EXECUTE

XX*DLT

XXXX*UPD

XXXX*ADD

XXXX*READ

XXXXXXX*OBJOPR

Data

*AUTLMGT

*OBJREF

*OBJALTER

*OBJEXIST

*OBJMGT

Object

*X*W*WX*R*RX*RW*RWXAuthorities




IFS Authorities

*RWX = Read/Write/Execute (*CHANGE)

*RW = Read/Write

*RX = Read/Execute (*USE)

*R = Read

*WX = Write/Execute

*W = Write

*X = Execute

Need:

*R to read a file or to list the contents of a directory

*W to write to a file or add a file to a directory

*X to traverse through a directory, e.g., ‘/home/cjw’


Two sets of authority to manage

CHGAUT – Change Authority command

Note that the command requires a pathname for the OBJ parameter




Two sets of authority to manage

WRKAUT – Work with Authority command

Note: This is the recommended setting for ‘/’ Data authorities *RX, Object authorities *NONE


Working with Permissions in iSeries Navigator

Navigate to the file

Right click, choose Permissions




Locking Down the IFS

Start at the top - just like OS/400n First secure the directoriesn Directories

n If required, then further secure the objects within

n Secure usingn *PUBLIC authorityn Groupsn Authorization listsn Private

What Authorities to Use?n OBJAUT(*NONE) and DTAAUT(*X) to traverse all directories in a path n OBJAUT(*NONE) and DTAAUT(*RX) to the directory to read or list the contentsn OBJAUT(*NONE) and DTAAUT(*RWX) to the directory to create objects into itn OBJAUT(*NONE) and DTAAUT(*WX) to the directory to rename or delete objectsn OBJAUT (*OBJMGT) at the object level for objects to copy or renamen OBJAUT(*OBJEXIST) at the object level for objects to delete

IBM directories are generally OK


Tools for managing IFS authorities - SECTOOLS

SECTOOLS – PRTPUBAUT and PRTPVTAUT

Note: Use caution when specifying *YES to search subdirectory!




Managing IFS Access with QPWFSERVER Autl

No authority – no access to QSYS.LIB file system using Explorer.

Ignored when using FTP or ODBC

Ships with *PUBLIC *USE


Management tools available “as is” from IBMn QRYIFSLIB dumps information such as file size, owner, primary group, etc.

to an outfile.

n CHGOWNALL runs the CHGOWN command on all files and subdirectories in the specified directory.

n CHGAUTALL runs the CHGAUT command on all files and subdirectories in the specified directory.

n RNMIFSF renames an invalid file or directory name.

n DLTIFSF deletes from the IFS a file containing invalid characters.

n DSPLINK displays the actual location that a symbolic link references.

n CHGCCSID changes the CCSID on one file or all files in a directory.

n ATTRIB allows IFS file attributes to be updated from OS/400 without requiring a network drive or PC connection.

n DELTREE deletes all files, directories, and subdirectories from the parent directory down. Obviously, this one needs to be used with caution.

Download from ftp://testcase.boulder.ibm.com/as400/fromibm/ApiSamples/ifstool.savf




Ignores QCRTAUT system value

What authority do newly created objects get?

n Typically inherits ALL authorities of the directory it’s being created inton Authorization list, *PUBLIC, private, etc

n Exceptions:n CPYTOSTMFn Does not copy private authorities or AUTLn *PUBLIC and primary group are set to *EXCLUDEn Owner has *RWXn Need to change after the create using CHGAUT

n creat(), move(), mkdir() APIs where the authority can be specified


Managing ownership

CHGOWN – Change Owner command

Note: Replace ‘PRODDATA.FILE’ in the pathname with *.* and all objects in the library are changed




Application authorization options

Adopted authority is ignored

Options:

n User has authorization throughn *PUBLICn Individual (private) authority for user or group

n Primary group authorityn Authorization list

n Use one of the swap APIsn Profile swapn Profile token n Set UID or Set GID


Swap profile – uid and gid APIs

swaps to

using qsysetuid()

SALLY

n SAL_GRP_1

n SAL_GRP_2

n SAL_GRP_3

JOE

n SAL_GRP_1

n SAL_GRP_2

n SAL_GRP_3

using qsysetgid()

SALLY

n SAL_GRP_1

n SAL_GRP_2

n SAL_GRP_3

SALLY

n APP_PROF

n SAL_GRP_2

n SAL_GRP_3

swaps to




Auditing

CHGAUD – Change Auditing command


Audit entries

n *N in the Object Name field of an audit entry indicates the object is a pathname

n Pathname is a 5002 character field at the end of the audit journal entry

n Must use DSPJRN (Display Journal) command to displayn See iSeries Security Reference manual, Appendix F for outfile

layout n DSPAUDJRNE (Display Audit Journal Entry) does not support

pathnames




Audit entries – Key for Reworking Security

n Make sure *CREATE and *DELETE are specified in QAUDLVL system value

n Query for objects being created into or deleted out of directoriesn Hint: Query for all objects with *N as the Object Name

n This tells you what authority is required for the process to write to the directory. n *PUBLIC DTAAUT(*EXCLUDE) OBJAUT(*NONE)n FTPDWNLOAD DTAAUT(*RX) OBJAUT(*NONE)n FTPUPLOAD DTAAUT(*RWX) OBJAUT(*NONE)


DSPAUDJRNE

DSPAUDJRNE ENTTYP(CO)




DSPJRN

n CRTDUPOBJ OBJ(QASYCOJ4) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)

n DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') + JRNCDE((T)) ENTTYP(CO) OUTPUT(*OUTFILE) + OUTFILFMT(*TYPE4) OUTFILE(QTEMP/QASYCOJ4)


File shares

n File shares make the directory “available” to the network

n Many systems have shared ‘/’

n Manage file shares through iSeries Navigator




File shares

Navigate to the directory

Right click

Choose Sharing, New sharing to define a new share

A hand underneath the folder indicates a share


File shares

n Shares can be Read only or Read/Write

n Underlying OS/400 authorities on the object determine what can be done to the file

n Secure the QZLSADFS (Add file share) and QZLSCHRS (Change file share) APIs




New IFS System Values and Exit Points – V5R3

n QSCANFS – Scan file systemn *NONE or *ROOTUPOD – every stream file in ‘/’, QOpenSys and user-

defined file systems are scannedn Works together the QIBM_QP0L_SCAN_OPEN (Scan on Open) and

QIBM_QP0L_SCAN_CLOSE (Scan on Close) exit points to define what program does the scanning.n Documented in the API section of the Info Center.

n QSCANFSCTL – Scan file system control parametersn Determines which objects and when objects within a file system are

scanned (for example – scan only when the object is changed.)n Determines the action to take when the scan fails.n Works together with new attributes on *DIR (*CRTOBJSCAN) and

*STMF (*SCAN)


Stop Ignoring the IFS

n Many people are choosing to ignore the security issues residing in the IFS




For More Information …

n Experts’ Guide to OS/400 Security by Carol Woodbury and Patrick Botz, ISBN 1-58304-096-X, 29th Street Press 2004.

n White paper – “Virus Got you Down?” http://www.skyviewpartners.com/java-skyviewp/security.jsp

n iSeries Security Reference manual n Appendix D

Available from the IBM Information Center at http://www.iseries.ibm.com/infocenter

n www.skyviewpartners.comn Providing policy management and risk assessment software and

security services!

Documents

IFS Security Considerations - gomitec.com Considerations ... //testcase.boulder.ibm.com/as400/fromibm/ApiSamples/ifstool.savf. ... (Display Audit Journal Entry) does not support