PART 16-A AS/400 ARCHITECTURE & SECURITY

PART 16-A AS/400 ARCHITECTURE & SECURITY Leen van Rij kpmg IRM vrije Universiteit amsterdam 31 March 2003 File 16-A AS400 architecture & security 2003 Contents CONTENTS History Architecture Application and Operating System/400 (AS/400 and OS/400) Physical security levels Logical security levels Object management Security implementation Special security feature Auditing (Part X. Only for the AS/400 auditor) Note AS/400 = hardware OS/400 = operating system AS/400 architecture & security 2 1

Contents... Contents Literature Highlights History Architecture Communication support Machine Interface AS/400 Database System Integrated File System Single level storage Object oriented Object types Physical security Logical security levels Integrity checking Special authorizations User classes Pre-defined user profiles User profile Group profile Group structure Object header authority Object data authority Object authority Grouping Public authorization Private authority Authorization list Authorization Check flow Adopted security Dedicated service tools Journaling Security definition interface ONLY FOR THE AS/400 AUDITOR: Limited users Library security Physical versus logical file security Authority holder Adopted security Journaling AS/400 architecture & security 3 Optional literature OPTIONAL LITERATURE IBM AS/400 System Concepts IBM AS/400 Security Concepts & Planning IBM AS/400 Guide to enabling C2 security IBM Application System/400 Technology Ernst & Young A practical approach to logical access control McGraw-Hill (1993) (see chapter AS/400 access control ) Ernst & Young Technical reference series: Audit, Control and Security of the IBM AS/400 (1994) (description, control objectives, audit questions) Fred de Koning e.a. Beveiliging en controle in een AS/400-omgeving Paardekooper & Hoffman (1995) AS/400 architecture & security 4 2

Optional literature... STRUCTURE OF: Ernst & Young AS/400 Audit Reference Overview Hardware Software Logical access path Utilities Backup and Recovery Objects Libraries Initial menus and programs System security» system keylock» system values» authorities» user and group profiles» authorization lists» etc. Procedural and administrative controls Control Concerns Examples AS/400 architecture & security 5 Security topology TOPOLOGY OF SECURITY LAYERS End user Frontdoor Network security Security in system/service Security in application Measures depend upon security objectives and the enterprise s security strategy Physical security of the computing center Computing center staff Access control Operating system Hardware DATA Trusted Computing Base (TCB - certified using US Department of Defense standards) Note: The security measures in the network, services and applications may use the Access Control in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used. AS/400 architecture & security 6 3

Access path within AS/400 (MEY model) End users MIS personnel OS/400 communication functions AS/400 model, see Ernst & Young book on logical access control OS/400 User User profiles Initial menu Application software Command processors Tools & utilities OS/400 data data base base management functions Object security DATA AS/400 architecture & security 7 Highlights HIGHLIGHTS FOR THE EDP AUDITOR 1. Apropriate security levels active 2. Identification, Authentication (User and Group profiles) 3. Special Authorizations 4. Public and Specific Authorization (including Authorization list) 5. Dedicated Service Tools 6. Journaling AS/400 architecture & security 8 4

History of AS/400 HISTORY OF APPLICATION SYSTEM/400 (AS/400) System/34 System/36 Data Base included in OS System/38 1974 1978 1982 AS/400 1987 AS/400-Y10 PowerPC AS/400 1995 AS/400 architecture & security 9 Architecture AS/400 System processor Main storage BCU BCU BCU Display Printer IOBU IOBU IOBU DASD DASD = Direct Access Storage Device (disks) BCU = Bus Control Unit IOBU = I/O Bus Unit (Communication Controller) BEU = Bus Extentsion Unit Communication IOBU BE BE U BE BE U AS/400 architecture & security 10 5

Architecture AS/400... ARCHITECTURE Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture AS/400 architecture & security 11 Communication protocols PHYSICAL CONNECTION PROTOCOLS For communication purposes AS/400 supports on the physical layer a variety of data link and network protocols A standard port is used for ECS (Electric Customer Support) Logical Optional adapters supports the protocols connection ASYNC (ASYNChronous) BSC (Binary Synchronous Communication) SDLC (Synchronous Data Link Control) X.21, X.25, X.31, V.24, V.35 and V.36 ISDN (Integrated Services Digital Network) Twinaxial Data Link Control Ethernet Token-ring FDDI (Fiber Distributed Data Interface) Wireless LAN Fax (V.34) Physical connection Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control AS/400 architecture & security 12 6

Communication protocols... NETWORK PROTOCOLS To manage network access AS/400 supports the most common available network protocols. Logical Asynchronous connection Binary Synchronous Communications (BSC) System Network Architecture (SNA) Advanced Peer-to-Peer Network (APPN) Transmission Control Protocol/Internet Protocol (TCP/IP) Open Systems Interconnection (OSI) Multiprotocol Transport Networking (MPTN) Physical connection Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control AS/400 architecture & security 13 Communication protocols... APPLICATION COMMUNICATION PROTOCOLS To enable applications using communication AS/400 supports call interfaces like Advanced Program-to-Program Communications (APPC) SNA Distribution Services (SNADS) Distributed Remote Data Access Open Systems Interconnection (OSI) Object Distribution Facility (ODF) Client Access/400 Transmission Control Protocol (TCP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) User Datagram Protocol (UDP) Line Printer Requester/Line Printer Daemon Protocol TELNET Physical connection Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control AS/400 architecture & security 14 7

Machine interface AS/400 MACHINE INTERFACE AS/400 Compilers Utilities Applications Operating System/400 (OS/400) Vertical Micro Code Horizontal Micro Code High-level machine Hardware AS/400 architecture & security 15 Machine interface AS/400... MACHINE INTERFACE AS/400 The AS/400 is a layered architecture machine To use the hardware only high-level machine instructions are available The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions The basic machine instructions are implemented by the HORIZONTAL MICROCODE layer and transfered to the hardware The hardware layer executes the instruction The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE With the PowerPC architecture there is only one layer of microcode to implement the machine interface. AS/400 architecture & security 16 8

Machine interface AS/400... The three machine layers, called the high-level machine, also provide many functions normally implemented in the Operating System TRADITIONAL OPERATING SYSTEM Task Task management Resource management Storage Storage management Database management Security management etc. etc. TRADITIONAL HARDWARE Machine interface Hardware OPERATING SYSTEM/400 (OS/400) AS/400 HARDWARE (Machine interface ) Task management Resource management Storage management Data access Database management Security management etc. Hardware Note: Implementing functions in micro code benefits the system s performance AS/400 architecture & security 17 Database system INTEGRATED DATABASE SYSTEM AS/400 has an integrated Database management system. It is a BASE feature of the AS/400 Within AS/400 Database access is only allowed by ONE Application Programming Interface (API). Access security will be done by this interface and there is no redundant access control mechanisme available. There is only one focal point for access control The Database is designed on two concepts The physical files, containing the data The logical files gives the posibility to define an alternate view to the data records and fields The user, when authorized, can access the data directly from the physical file or through the logical file The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base features AS/400 architecture & security 18 9

Database system... INTEGRATED DATABASE SYSTEM The AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are Open Database Connect (ODBC) from Microsoft Data Access Language (DAL) from Appel System Query Language Connect (SQL CON) from Oracle Distributed Relational Database Architecture (DRDA) from IBM System A System B AS/400 Database X Database Y AS/400 architecture & security 19 Integrated File System INTEGRATED FILE SYSTEM (IFS) To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to the streamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are: Root file system: OS/2, DOS and Windows NT compatible QOpenSys file system: Posix, XPG, UNIX compatible QLANSrv file system: OS/2 Lan Manager compatible AS/400 File system X File system Y AS/400 architecture & security 20 10

Single level storage Traditional mainframe with an address space per user and separate data sets on disks OS/390 2 GB GB address space 2 GB GB address space 2 GB GB address space DASD DIFFERENT ARCHITECTURE AS/400 - OS/400 2 64 bytes = 16.000.000 Tera bytes address space Object: program Object: screen Object: data AS/400: everything in one virtual address space AS/400 architecture & security 21 Single level storage... SINGLE LEVEL STORAGE AS/400 provides single-level addressability of all virtual storage. This is transparent addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application One virtual address space SYSTEM PROCESSOR VAT MAIN STORAGE DIR paging AUXILIARY STORAGE on DASD VAT = Virtual Address Translation DIR = Directory used by VAT to keep track of virtual storage contents Note: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD AS/400 architecture & security 22 11

Single level storage... AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space AS/400 VIRTUAL ADDRESS SPACE Program A123 Data 5RF Command AB6 Menu 567 Menu 765 Queue Program A143 Program XG63 Data GFHJ objects Command UY Etc. etc. etc. till till maximum space AS/400 architecture & security 23 Object oriented OBJECT ORIENTED DESIGN Definition: Everything on the system that can be stored or retrieved is contained in an object The high level machine is designed to treat everything the same through the use of a generic object structure General object structure Object type type Owner Public Authorithy etc. etc. OBJECT HEADER (Control Information) FUNCTIONAL OBJECT (data) Data Data (e.g., (e.g., data data records, programs, sources, etc. etc. )) AS/400 architecture & security 24 12

Object types OBJECT TYPES To storage information in the AS400 system there are defined 73 different types of objects, e.g. Type Contents Library object names (like a directory) Data data records (database records) Program executable programs Source source of programs like cobol, pascal, C etc. User profile userid descriptions and priviledges Journal logging records Job queue jobs to handle Output queue output from jobs Device description device parameters Job description job control language AS/400 architecture & security 25 Object administration OBJECT ADMINISTRATION OBJECT X START OBJECT SEARCH QSYS LIBRARY 1 LIBRARY 2 LIBRARY 3 LIBRARY 1 OBJECT X OBJECT Y OBJECT Z LIBRARY 2 OBJECT K OBJECT L OBJECT M MEMBER A MEMBER B MEMBER C OBJECT Y DATABASE AS/400 architecture & security 26 13

Physical security KEYLOCK SWITCH On front panel AS/400, with a physical key (to be stored safely) Normal Secure Manual Auto Keylock Power Power down down Remote Remote or or Main Main Attended position command timed timed IPL IPL switch switch IPL IPL IPL IPL SECURE YES YES NO NO NO NO NO NO AUTO AUTO YES YES YES YES NO NO NO NO NORMAL YES YES YES YES YES YES NO NO MANUAL YES YES NO NO YES YES YES YES Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools) AS/400 architecture & security 27 Logical security levels LOGICAL SECURITY LEVELS AS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter QSECURITY(xx) 10 - no security 20 - userid and password checking 30 - object authorization verification 40 - application must use AS/400 call interface 50 - DoD C2 security Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system AS/400 architecture & security 28 14

Logical security levels... DESCRIPTION OF SECURITY LEVELS 10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on 20 - User-profile and password must be defined prior to sign on 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources. 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possible AS/400 architecture & security 29 Integrity checking INTEGRITY CHECKING ISOLATION: AS/400 has system state and user state programs Security level = 10, 20 and 30 user and system programs can freely interact with the high-level machine Security level = 40 the APIs (Application Program Interface) must be used by a user program to interact with a system program Security level = 50 the APIs must also be used by a user program to interact with another user program AS/400 architecture & security 30 15

Integrity checking... INTEGRITY CHECKING System State Domain no integrity problem System State Domain integrity problem when not checked API must be used with level 40 User State Domain integrity problem User State Domain intentionally no problem no journalling of activities level 50 enforces use of API in the user domain AS/400 architecture & security 31 Special authorizations SPECIAL AUTHORIZATIONS Within the AS/400 system there are definitions with a system wide authority scope. When a user is defined with a special authorization he/she is able to do PRIVILEDGE AUTHORIZED TO DO ALLOBJ access every system resource SECADM create / change user profiles SAVSYS save / restore JOBCTL manipulate jobs on the system SPLCTL all spool functions SERVICE service functions AUDIT audit related functions IOSYSCFG change system configuration AS/400 architecture & security 32 16

User classes USER CLASSES ALLOBJ SECOFR SECADM SERVICE SPLCTL IOSYSCFG SYSOPR PGMR SECADM JOBCTL SAVSYS AS/400 architecture & security 33 User classes... USER CLASSES Special authorities can be grouped together. These grouping is called a USERCLASS class authority SECOFR SECADM SYSOPR PGMR USER ALLOBJ 10/20 10/20 10/20 10/20 SECADM SAVSYS 10/20 JOBCTL SPLCTL SERVICE IOSYSCFG Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ALLOBJ authority is assigned to this classes automaticly. The refers to security level 30, 40 and 50 AS/400 architecture & security 34 17

Pre-defined user profiles PRE-DEFINED USER PROFILES When AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are QSECOFR QPGMR QSYSOPR QSRV QSRVBAS QUSER Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids AS/400 architecture & security 35 User profile USER PROFILE With security level 20 or higher, the user can only access the system if there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be USER PROFILE (is an object) Userid Password User class Password expiration Group name (up to 16 groups) Special authority Initial program Accounting code Initial menu Limited capability Current library ( Note: This is only a partial content ) AS/400 architecture & security 36 18

Authentication AUTHENTICATION System wide password syntax options QPWDMINLEN minimum length of password QPWDMAXLEN maximum length (up to 10 characters) QPWDRQDDIF new password must differ from 32 previous QPWDLMTCHR specify up to 10 characters not allowed for password QPWDPOSDIF character in new must be different from character in same position in old QPWDLMTREP characters not be used more than once QPWDLMTAJC numbers 0 to 9 not next to another QPWDVLDPGM use password syntax checker QPWDRQDDGT at least one numeric Other system wide password options QPWDEXPITV maximum number of days the password is valid QMAXSIGN maximum number of unsuccessful sign-on attempts QDSPSGNINF display date/time of last sign-on etc. after successful sign-on AS/400 architecture & security 37 Group profile GROUP PROFILE A group profile has the same structure as a user profile: it becomes a group profile when it is named as a group in a user profile. The contents of the group profile may be GROUP PROFILE (is an object) Userid (is groupname) Password ( NONE) User class (class for group) Password expiration (not relevant) Group ( NONE) Special authority (for group) Initial program (not relevant) Accounting code (not relevant) Initial menu (not relevant) Limited capability (not relevant) Current library (not relevant) ( Note: This is only a partial contents ) AS/400 architecture & security 38 19

Group structure GROUP STRUCTURE Group profile GROUP A Group profile GROUP B User User profile USER A1 A1 Group=A User User profile USER A2 A2 Group=A,B User User profile USER B1 B1 Group=B User User profile USER B2 B2 Group=B The groups are independent definitions and do not have any relation to one another A user can be a member of maximum 16 groups AS/400 architecture & security 39 Object header authority OBJECT HEADER AUTHORITY HEADER functional data data AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information This authority is specific for every user-object combination. The user may AUTHORITY ACCESS RIGHTS to HEADER! OBJOPR use/look at the object information OBJMGT grant other users to use the object OBJEXIST totally control the object AS/400 architecture & security 40 20

Object data authority OBJECT DATA AUTHORITY header FUNCTIONAL DATA Prior to access the contents of the object, the user must have at least OBJOPR authority to the object. If so, data access can be controlled with five different levels AUTHORITY ACCESS RIGHTS to FUNCTIONAL DATA READ - Read the entries of the functional data ADD - Add entries to the functional data UPD - Update entries of the functional data DLT - Delete entries of the functional data EXECUTE - Only execute the related program! AS/400 architecture & security 41 Object authority OBJECT AUTHORITY The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data. START SEARCH PUBLIC authority OBJOPR READ data AS/400 architecture & security 42 21

Object authority grouping OBJECT AUTHORITY GROUPING OBJEXIST ALL CHANGE OBJMGT USE DLT OBJOPR READ UPD ADD AS/400 architecture & security 43 Object authority grouping... OBJECT AUTHORITY GROUPING Object header and functional data access authorities can be grouped to system defined values, controlling the access to the object Combination Object authority Data authority USE OBJOPR READ CHANGE OBJOPR READ, ADD, UPD, DLT ALL OBJOPR READ OBJMGT ADD OBJEXIST UPD, DLT EXCLUDE LIBCRTAUT USER DEF Access always denied Access determined by the library where the object is registered Combination defined by the user AS/400 architecture & security 44 22

Public authorization PUBLIC AUTHORIZATION When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation OBJECT HEADER Object type type Owner PUBLIC authority USE FUNCTIONAL DATA All Users Note: In this example all users have read access to this object ( USE includes OBJOPR and READ) AS/400 architecture & security 45 Private authority PRIVATE AUTHORITY When a specific user must have limited or higher access rights related to the public authority, the user s access is administrated in his/her user profile extension header USER PROFILE (is an object) user user information list list of of owned objects LIST OF OF OBJECTS AUTHORIZED TO TO ACCESS WITH THE AUTHORITY OBJEXAMPLE CHANGE Single User Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header AS/400 architecture & security 46 23

Authorization list AUTHORIZATION LIST Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects An object can be connected to this authorization list The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list AS/400 architecture & security 47 Authorization list... AUTHORIZATION LIST CONTENTS The authorization list by itself is also an object. The list is treated as every other object in the system header AUTHORIZATION LIST (is an object) ANJA ALL EDWIN CHANGE RONALD USE LEEN AUTLMGT PUBLIC EXCLUDE The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called AUTLMGT. This gives the user (or group) the ability to maintain this authorization list Note: When the public authorization in the object specifies that the authority list will be used the entry PUBLIC will give the public authorization AS/400 architecture & security 48 24

Authorization list... AUTHORIZATION LIST CONNECTION When an object is created or changed the authorization list can be specified. The architecture gives the possibility to specify only ONE list per object Authorization List ABC ANJA ALL EDWIN CHANGE RONALD USE LEEN AUTLMGT PUBLIC EXCLUDE Object authorizations are defined in Authorization List ABC Object type type Owner AUTHORIZATION LIST ABC Public authority AUTL Functional data data Note: In this example the public authority is now used from the authorization list entry PUBLIC AS/400 architecture & security 49 Authorization check flow AUTHORIZATION CHECK FLOW Authorization check flow sequence: 1. Special authority of the user 2. Specific authority of the user 3. User on authorization list 4. Special authority of the group 5. Specific authority of the group 6. Group on authorization list 7. PUBLIC authority in object 8. PUBLIC on authorization list AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop This mechanism is called exclusive access control and is the opposite of accumulated access control AS/400 architecture & security 50 25

Adopted security ADOPTED SECURITY AS/400 security allows a user to adopt the access authorization of the owner of a program When a user is allowed to execute a program owned by another user, the authority can be adopted The user then has the same access authority to the objects as the owner of it EXCLUDE not allowed! DATA B23 B23 User A USE for BAS User B Via program BAS of user B: allowed AS/400 architecture & security 51 Adopted security... ADOPTED SECURITY: an example User A has EXCLUDE for data B23 USE for program BAS Owner user user B Public authority EXCLUDE DATA B23 B23 Owner user user B Public authority USE PROGRAM BAS: Adopting authority active Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS AS/400 architecture & security 52 26

Adopted security: another example ADOPTED SECURITY: another example When a program allows adoption of the authority of the program owner, the program must be created with the command CRTPGM PROG(B2S) USRPRF( OWNER) When program adoption is active, the authority will be propagated by subsequently called programs DATA X24 X24 USE for B2S User A User B User X AS/400 architecture & security 53 Adopted security: another example... ADOPTED SECURITY: another example User A has USE for program B2S EXCLUDE for data X24 Owner user user B PROGRAM B2S: B2S: call call program X2U X2U USE Owner user user X PROGRAM X2U X2U DATA X24 PROGRAM X2U has ALSO USE authority to DATA X24 Note: Adopted security is the only accumulated security within AS/400 AS/400 architecture & security 54 27

Dedicated Service Tools DEDICATED SERVICE TOOLS Dedicated service tools are used to solve problems occuring in the licensed internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization SECURITY Used by the security officer to do all DST functions and change the DST passwords FULL To use all DST functions except DST passwords changes BASIC To use DST functions not affecting sensitive data Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be reset AS/400 architecture & security 55 Journaling JOURNALING The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types AS/400 SECURITY EVENT Journal activated with with system value QAUDJRN ( JRN) Journal level level activated with with system values e.g. e.g. AUTFAIL PGMFAIL Security officer Journal receiver USERRECV AS/400 architecture & security 56 28

Security definition interface SECURITY DEFINITION INTERFACE Menu interface (started with GO SECURITY) Define User Profile Command interface User Profile Password Password Expired User Class Current library Initial Program Initial Menu == > command CRTUSRPRF CHGUSRPRF DLTUSRPRF DSPUSRPRF CHGPWD DSPAUTUSR CHGPRF WRKUSRPRF Create user profile Change user profile Delete user profile Display user profile Change password Display authorized users Change profile (normal users) Work with user profile AS/400 architecture & security 57 ONLY FOR THE AS/400 AUDITOR PART X ADDITIONAL INFORMATION ONLY FOR THE AS/400 AUDITOR AS/400 architecture & security 58 29

Limited users LIMITED USERS Restrictions can be defined in the user profile, the so called limited capability (LMTCPB) Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line AS/400 architecture & security 59 Library security LIBRARY SECURITY To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least USE access to the library to search for the objects described in it Give the public authority for the objects in the library as high as necessary and the public authority for the library EXCLUDE Authority for the library must be given to individual users AS/400 architecture & security 60 30

Library security... LIBRARY SECURITY USER C USER B has USE Public USE LIBRARY A Owner user user A Public authority EXCLUDE OBJECT A OBJECT B OBJECT C etc. etc. DATA Public USE DATA Public USE DATA AS/400 architecture & security 61 Physical versus logical file security PHYSICAL VERSUS LOGICAL FILE SECURITY A physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data The following physical file object P cannot be accessed directly because the user has no access to the header information By given access to a logical file with certain view to the physical data, a user only has access to that part of the data AS/400 architecture & security 62 31

Physical versus logical file security... PHYSICAL VERSUS LOGICAL FILE SECURITY OBJECT L1 Public authority OBJOPR Data DataDescr. Spec. FILE P RECORDS Public FIELDS A EN EN B authority NONE PHYSICAL FILE P Data DataDescr. Spec. OBJECT L2 RECORDS FIELDS Public authority CHANGE Data DataDescr. Spec. RECORDS FIELDS X EN EN Y PHYSICAL FILE P DATA AS/400 architecture & security 63 Authority holder AUTHORITY HOLDER AS/400 gives the opportunity to setup an object authority before the creation of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the object s data part when the data is created AUTHORITY HOLDER Public authority USE Object header created in advance Connected when DATA is created DATA created in the future AS/400 architecture & security 64 32

Adopted security ADOPTED SECURITY: an example User A has EXCLUDE for data B23 USE for program BAS Owner user user B Public authority EXCLUDE DATA B23 B23 Owner user user B Public authority USE PROGRAM BAS: Adopting authority active Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS AS/400 architecture & security 65 Adopted security: search sequence ADOPTED SECURITY: SEARCH SEQUENCE The search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B SEARCH Library B containing program A and and program B Library A containing program A If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach SEARCH Library A containing program A Library B containing program A and and program B AS/400 architecture & security 66 33

Adopted security... ADOPTED SECURITY To eliminate the possibility to use the library sequence the program call should supply the library name by using the qualified name in the CALL command CALL Lib (B)/PROGRAM(A) Program A will only be used from lib B Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow AS/400 architecture & security 67 Journaling JOURNALING To activate journaling the security officer must create the QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions The journal is created with the following commands CRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN( JRN) QAUDLVL( AUTFAIL PGMFAIL) JRNRCV(USERRECV) To set the level of journaling the system value QAUDLVL must be set. Possible values are NONE, AUTFAIL, SAVRST, DELETE, SECURITY, CREATE, OBJMGT and PGMFAIL AS/400 architecture & security 68 34