In a PC there is a threat of viruses, worms, hackers, etc.
We all have come across the term "safe computing" at some point in time
concerning the protection of our PCs. However, this term is seldom mentioned
in the iSeries 400 realm. Although true as it is, OS/400 is a relatively closed
operating system that prevents the OS internals from being accessed by user
written programs. However, the iSeries is still a computer and unless it is
properly secured, there is a multitude of ways an unauthorized person can
gain access.
In this tip, I present three simple examples showing how easy it is for
an unauthorized person to gain access to the system and the steps that can
be taken to prevent from such an occurrence.
1. Job descriptions with a user ID attached to it. Any user will be able to
submit a batch job (SBMJOB) to run under another user ID by specifying
JOBD(&targeted-user) and USER(*JOBD). Security level 30 requires only *USE
authority to the job description. Set the system security level to 40 so it
requires *USE authority to both the job description and user profile. Also
evaluate the necessity and restrict any job descriptions with user IDs
attached. The commands CRTJOBD and CHGJOBD should also be restricted.
2. Servicing jobs and related commands. A user who either has *SERVICE
special authority or *USE authority to a user profile can execute commands
to run under another user ID. This is done by STRSRVJOB and followed by
TRCJOB and specifying a program in the EXITPGM parameter. The exit program
is coded to read from a file or data queue which then calls QCMDEXC to run
it. To prevent this, do not grant *SERVICE special authority and restrict
access to all service commands and user profiles.
3. Workstation entry. Assuming a job description has a user ID attached to
it. Using the ADDWSE command and by specifying the JOBD parameter, it is
possible to sign on to the user ID without requiring their passwords. To
circumvent this, change the system security level to 40 and restrict the use
of ADDWSE and CHGWSE.
These are some areas of security which is often overlooked and if not
properly checked, such abuses are very difficult, if not extremely difficult
to detect because the commands are run under a different user ID. The best
cure is still prevention.
==================================
MORE INFORMATION ON THIS TOPIC
==================================
The Best Web Links: tips, tutorials and more.
Search400's targeted search engine: Get relevant information on security.
Ask your systems management questions--or help out your peers by answering them--in our live discussion forums.
