The CAPP standard sets up a set of security requirements for information technology products, such as OS/400 or i5/OS. Products that conform to the CAPP standards support access controls, which are capable of limiting access to individual users and individual data objects while providing for audit capability for security related events that happen within the system environment.
It is important to know, however, that the CAPP standard only describes itself as providing protection for users who are assumed to be non-hostile. The standard assumes that protection is needed for inadvertent or casual access attempts, but it is not intended for attempts from "hostile and well funded attackers." So, keep in mind, that is NOT security nirvana.
OS/400 and i5/OS take the CAPP standard and apply it in four specific areas:
Discretionary access control (DAC) describes how access to objects can be controlled or limited to specific user profiles on the system. Through object authority, users are granted or excluded permission to use objects defined to the system.
Object reuse is a requirement for internal storage control. In most systems, when an object is deleted, it is only deleted at the directory level. The object still exists in the disk space where it was recorded but since it is no longer referenced by the directory, it cannot be used by most users. CAPP object reuse takes that a step further and prevents users who create new objects on the system from accessing information that was formerly stored in the allocated disk space.
Identification and authentication requires that users on the system are personally accountable for what they do. Each user must be uniquely identified -- that identity must be able to be confirmed and it must be immediately associated with all security events performed.
Auditability of security events in CAPP calls for the system being able to audit all security events at the user profile level. This audit information must include a time and date stamp, the nature of the event, the object or objects used and the user identifier.
As you can see, with all of these security requirements deployed, you are in a good position to properly manage and control the security environment on your system. OS/400 V5R3 and later support the CAPP standard when security level (system value QSECURITY) is set to level 50. So, you can take advantage of all of this security control, and more, by moving to this level. Be aware that changing your QSECURITY setting is not to be taken lightly and planning is required for a seamless move.
If you have specific questions about this topic, e-mail me at firstname.lastname@example.org. All e-mail messages will be answered.
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.
This was first published in March 2006