ifs security considerations - gomitec.com considerations ......
Post on 22-Apr-2018
224 Views
Preview:
TRANSCRIPT
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 1
www.skyviewpartners.com
World Class Security Experts
© Copyright 2006 SkyView Partners Inc. All rights reserved.
Security Considerationsfor the IFS
Carol Woodbury, President and Co-Founder
SkyView Partners, Inc
carol.woodbury@skyviewpartners.com
www.skyviewpartners.com2© Copyright 2006 SkyView Partners Inc. All rights reserved.
Agenda
n Why you should care about security in the IFS
n How security differs between the IFS and OS/400
n Tools to manage security in the IFS
n Auditing and the IFS
n File shares
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 2
www.skyviewpartners.com3© Copyright 2006 SkyView Partners Inc. All rights reserved.
Why Should I Care?
n More IBM products and third-party apps are implemented in file systems other than QSYS.LIB n WebSpheren Webserversn iSeries Access
n Default access is the equivalent of *PUBLIC *ALL allows inappropriaten Directory creation
n Storage of objectsn PC backupsn Moviesn Musicn Pictures, etc
www.skyviewpartners.com4© Copyright 2006 SkyView Partners Inc. All rights reserved.
What is Meant by the IFS
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 3
www.skyviewpartners.com5© Copyright 2006 SkyView Partners Inc. All rights reserved.
IFS Security Compared to i5/OS Security
Ignores adopted authority
Need to look in different audit fields
Ignores ownership setting in User profile
Can use authorization lists and private authorities
Ignores QCRTAUT system value
Has *PUBLIC authority
Authority names
*RWX vs *CHANGE
Authority checking algorithm
DifferentSame
www.skyviewpartners.com6© Copyright 2006 SkyView Partners Inc. All rights reserved.
IFS Authorities
XXXX*EXECUTE
XX*DLT
XXXX*UPD
XXXX*ADD
XXXX*READ
XXXXXXX*OBJOPR
Data
*AUTLMGT
*OBJREF
*OBJALTER
*OBJEXIST
*OBJMGT
Object
*X*W*WX*R*RX*RW*RWXAuthorities
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 4
www.skyviewpartners.com7© Copyright 2006 SkyView Partners Inc. All rights reserved.
IFS Authorities
*RWX = Read/Write/Execute (*CHANGE)
*RW = Read/Write
*RX = Read/Execute (*USE)
*R = Read
*WX = Write/Execute
*W = Write
*X = Execute
Need:
*R to read a file or to list the contents of a directory
*W to write to a file or add a file to a directory
*X to traverse through a directory, e.g., ‘/home/cjw’
www.skyviewpartners.com8© Copyright 2006 SkyView Partners Inc. All rights reserved.
Two sets of authority to manage
CHGAUT – Change Authority command
Note that the command requires a pathname for the OBJ parameter
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 5
www.skyviewpartners.com9© Copyright 2006 SkyView Partners Inc. All rights reserved.
Two sets of authority to manage
WRKAUT – Work with Authority command
Note: This is the recommended setting for ‘/’ Data authorities *RX, Object authorities *NONE
www.skyviewpartners.com10© Copyright 2006 SkyView Partners Inc. All rights reserved.
Working with Permissions in iSeries Navigator
Navigate to the file
Right click, choose Permissions
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 6
www.skyviewpartners.com11© Copyright 2006 SkyView Partners Inc. All rights reserved.
Locking Down the IFS
Start at the top - just like OS/400n First secure the directoriesn Directories
n If required, then further secure the objects within
n Secure usingn *PUBLIC authorityn Groupsn Authorization listsn Private
What Authorities to Use?n OBJAUT(*NONE) and DTAAUT(*X) to traverse all directories in a path n OBJAUT(*NONE) and DTAAUT(*RX) to the directory to read or list the contentsn OBJAUT(*NONE) and DTAAUT(*RWX) to the directory to create objects into itn OBJAUT(*NONE) and DTAAUT(*WX) to the directory to rename or delete objectsn OBJAUT (*OBJMGT) at the object level for objects to copy or renamen OBJAUT(*OBJEXIST) at the object level for objects to delete
IBM directories are generally OK
www.skyviewpartners.com12© Copyright 2006 SkyView Partners Inc. All rights reserved.
Tools for managing IFS authorities - SECTOOLS
SECTOOLS – PRTPUBAUT and PRTPVTAUT
Note: Use caution when specifying *YES to search subdirectory!
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 7
www.skyviewpartners.com13© Copyright 2006 SkyView Partners Inc. All rights reserved.
Managing IFS Access with QPWFSERVER Autl
No authority – no access to QSYS.LIB file system using Explorer.
Ignored when using FTP or ODBC
Ships with *PUBLIC *USE
www.skyviewpartners.com14© Copyright 2006 SkyView Partners Inc. All rights reserved.
Management tools available “as is” from IBMn QRYIFSLIB dumps information such as file size, owner, primary group, etc.
to an outfile.
n CHGOWNALL runs the CHGOWN command on all files and subdirectories in the specified directory.
n CHGAUTALL runs the CHGAUT command on all files and subdirectories in the specified directory.
n RNMIFSF renames an invalid file or directory name.
n DLTIFSF deletes from the IFS a file containing invalid characters.
n DSPLINK displays the actual location that a symbolic link references.
n CHGCCSID changes the CCSID on one file or all files in a directory.
n ATTRIB allows IFS file attributes to be updated from OS/400 without requiring a network drive or PC connection.
n DELTREE deletes all files, directories, and subdirectories from the parent directory down. Obviously, this one needs to be used with caution.
Download from ftp://testcase.boulder.ibm.com/as400/fromibm/ApiSamples/ifstool.savf
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 8
www.skyviewpartners.com15© Copyright 2006 SkyView Partners Inc. All rights reserved.
Ignores QCRTAUT system value
What authority do newly created objects get?
n Typically inherits ALL authorities of the directory it’s being created inton Authorization list, *PUBLIC, private, etc
n Exceptions:n CPYTOSTMFn Does not copy private authorities or AUTLn *PUBLIC and primary group are set to *EXCLUDEn Owner has *RWXn Need to change after the create using CHGAUT
n creat(), move(), mkdir() APIs where the authority can be specified
www.skyviewpartners.com16© Copyright 2006 SkyView Partners Inc. All rights reserved.
Managing ownership
CHGOWN – Change Owner command
Note: Replace ‘PRODDATA.FILE’ in the pathname with *.* and all objects in the library are changed
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 9
www.skyviewpartners.com17© Copyright 2006 SkyView Partners Inc. All rights reserved.
Application authorization options
Adopted authority is ignored
Options:
n User has authorization throughn *PUBLICn Individual (private) authority for user or group
n Primary group authorityn Authorization list
n Use one of the swap APIsn Profile swapn Profile token n Set UID or Set GID
www.skyviewpartners.com18© Copyright 2006 SkyView Partners Inc. All rights reserved.
Swap profile – uid and gid APIs
swaps to
using qsysetuid()
SALLY
n SAL_GRP_1
n SAL_GRP_2
n SAL_GRP_3
JOE
n SAL_GRP_1
n SAL_GRP_2
n SAL_GRP_3
using qsysetgid()
SALLY
n SAL_GRP_1
n SAL_GRP_2
n SAL_GRP_3
SALLY
n APP_PROF
n SAL_GRP_2
n SAL_GRP_3
swaps to
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 10
www.skyviewpartners.com19© Copyright 2006 SkyView Partners Inc. All rights reserved.
Auditing
CHGAUD – Change Auditing command
www.skyviewpartners.com20© Copyright 2006 SkyView Partners Inc. All rights reserved.
Audit entries
n *N in the Object Name field of an audit entry indicates the object is a pathname
n Pathname is a 5002 character field at the end of the audit journal entry
n Must use DSPJRN (Display Journal) command to displayn See iSeries Security Reference manual, Appendix F for outfile
layout n DSPAUDJRNE (Display Audit Journal Entry) does not support
pathnames
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 11
www.skyviewpartners.com21© Copyright 2006 SkyView Partners Inc. All rights reserved.
Audit entries – Key for Reworking Security
n Make sure *CREATE and *DELETE are specified in QAUDLVL system value
n Query for objects being created into or deleted out of directoriesn Hint: Query for all objects with *N as the Object Name
n This tells you what authority is required for the process to write to the directory. n *PUBLIC DTAAUT(*EXCLUDE) OBJAUT(*NONE)n FTPDWNLOAD DTAAUT(*RX) OBJAUT(*NONE)n FTPUPLOAD DTAAUT(*RWX) OBJAUT(*NONE)
www.skyviewpartners.com22© Copyright 2006 SkyView Partners Inc. All rights reserved.
DSPAUDJRNE
DSPAUDJRNE ENTTYP(CO)
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 12
www.skyviewpartners.com23© Copyright 2006 SkyView Partners Inc. All rights reserved.
DSPJRN
n CRTDUPOBJ OBJ(QASYCOJ4) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(QTEMP)
n DSPJRN JRN(QAUDJRN) FROMTIME('09/13/05' '17:30:00') + JRNCDE((T)) ENTTYP(CO) OUTPUT(*OUTFILE) + OUTFILFMT(*TYPE4) OUTFILE(QTEMP/QASYCOJ4)
www.skyviewpartners.com24© Copyright 2006 SkyView Partners Inc. All rights reserved.
File shares
n File shares make the directory “available” to the network
n Many systems have shared ‘/’
n Manage file shares through iSeries Navigator
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 13
www.skyviewpartners.com25© Copyright 2006 SkyView Partners Inc. All rights reserved.
File shares
Navigate to the directory
Right click
Choose Sharing, New sharing to define a new share
A hand underneath the folder indicates a share
www.skyviewpartners.com26© Copyright 2006 SkyView Partners Inc. All rights reserved.
File shares
n Shares can be Read only or Read/Write
n Underlying OS/400 authorities on the object determine what can be done to the file
n Secure the QZLSADFS (Add file share) and QZLSCHRS (Change file share) APIs
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 14
www.skyviewpartners.com27© Copyright 2006 SkyView Partners Inc. All rights reserved.
New IFS System Values and Exit Points – V5R3
n QSCANFS – Scan file systemn *NONE or *ROOTUPOD – every stream file in ‘/’, QOpenSys and user-
defined file systems are scannedn Works together the QIBM_QP0L_SCAN_OPEN (Scan on Open) and
QIBM_QP0L_SCAN_CLOSE (Scan on Close) exit points to define what program does the scanning.n Documented in the API section of the Info Center.
n QSCANFSCTL – Scan file system control parametersn Determines which objects and when objects within a file system are
scanned (for example – scan only when the object is changed.)n Determines the action to take when the scan fails.n Works together with new attributes on *DIR (*CRTOBJSCAN) and
*STMF (*SCAN)
www.skyviewpartners.com28© Copyright 2006 SkyView Partners Inc. All rights reserved.
Stop Ignoring the IFS
n Many people are choosing to ignore the security issues residing in the IFS
www.skyviewpartners.com
Copyright SkyView Partners, 2006. All Rights Reserved 15
www.skyviewpartners.com29© Copyright 2006 SkyView Partners Inc. All rights reserved.
For More Information …
n Experts’ Guide to OS/400 Security by Carol Woodbury and Patrick Botz, ISBN 1-58304-096-X, 29th Street Press 2004.
n White paper – “Virus Got you Down?” http://www.skyviewpartners.com/java-skyviewp/security.jsp
n iSeries Security Reference manual n Appendix D
Available from the IBM Information Center at http://www.iseries.ibm.com/infocenter
n www.skyviewpartners.comn Providing policy management and risk assessment software and
security services!
top related