Manage Learn to apply best practices and optimize your operations.

Restrict *PUBLIC access to critical OS components

Using the Revoke Public Authority command to restrict use of certain critical OS/400 commands and API objects.

As a security officer, you are responsible for keeping a tight rein on your system. To add just another level of confidence, take a look at running the Revoke Public Authority (RVKPUBAUT) command on your system to restrict the use of certain critical OS/400 commands and API objects.

There are quite a few OS/400 commands that could be used mischievously to make changes to your system. Those include things such as Restore Object (RSTOBJ)and Remove Job Queue Entry (RMVJOBQE). IBM ships those commands and API objects from the factory with the public authority set to *USE. To really lock up your system, it is recommended that the above set of objects be changed to restricted use -- using only the public authority set to *EXCLUDE. Then, you can build a list of specific individuals who are permitted to use those commands and set them up as part of a group with *USE authority set to the group. You could also simply authorize specific user profiles to the specific commands that they need access to.

More Information

For my system, I found a list of the specific system objects affected in Appendix G of the Security Reference Manual. The specific set of objects, however, could vary from system to system depending on the release of OS/400 you are running. A better way to tell what will be changed is to examine the CL program that is run by the command to develop your list.

You can check the source code for the CL program by retrieving the CL source into your own source physical file. The program that is run by the Revoke Public Authority is named QSECRVKP. To retrieve the source, you can run a command similar to the following:

    RTVCLSRC PGM(QSECRVKP) SRCFILE(MYLIBR/QSRC) SRCMBR(MYRVKPUB)

While you're at it, you can also modify that CL program to remove changes to the system objects you would like to leave at the public authority of *USE. For example, you may find restricting the Restore Object (RSTOBJ) command will not work well in your environment. If that's the case, remove (or comment out) the change to that object but leave the rest in place.

When all of your changes have been made, you can recompile the CL program. Be sure to specify a different name for your compiled program so the original *PGM object distributed with your operating system remains in place. Once the CL program is compiled, you'll need to change the program to be executed on the RVKPUBAUT command using Change Command (CHGCMD). An example of that might look like this:

    CHGCMD CMD(QSYS/RVKPUBAUT) PGM(MYLIB/MYRVKPUB)

When you're done run the command, and the specific list of commands and APIs will then have their public authority restricted. That process adds another layer of security to your system by removing the possibility those system objects can be used maliciously.

If you have any questions about this topic, you can reach me at rich@kisco.com, I'll give it my best shot. All e-mail messages will be answered.

---------------------------------------
About the author: Rich Loeber is president of Kisco Information Systems Inc. in Saranac Lake, N.Y. The company is a provider of various security products for the iSeries market.


Dig Deeper on iSeries system and application security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchDataCenter

Close