AUDIT: *ALLOBJ.. but really how?

100 pts.
Tags:
*ALLOBJ
AS/400
IBM
- If I have users with *ALLOBJ, but no access to command line:
  1. How does the user access those *any* objects on the server or app? How is the risk materializing? If I look at a client's screen and they say:  "yeah I have allobj but see? I don't have a CL and my menu shows only 2-3 options.. So how do you think I'd access all of the objects on the server even though I have *ALLOBJ? "
  2. Do you agree that that user could also manage to get a CL?


Software/Hardware used:
iseries, os400, ibm, middle-range

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

Discuss This Question: 8  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Splat
    The question isn't so much that they may or may not be able to use (or misuse) *ALLOBJ authority as it is whether they should have it all.

    My view is that users should only have the authority necessary to perform their work and nothing beyond that. *ALLOBJ goes a bit beyond that for most users.
    11,175 pointsBadges:
    report
  • aldc123
    Okay I understand. But here I'm trying to address the materialization of the risk. How would they access the objects with no CL? with ALLOBJ that is?
    100 pointsBadges:
    report
  • Splat
    The scenario you describe has a low but not negligible risk.
    11,175 pointsBadges:
    report
  • GregManzo
    The risk really comes in when someone decides to open up some other interface (ODBC, etc.) and is unaware of just how many profiles you have given *ALLOBJ to.
    Driving really fast is negligible risk until there are other cars on the road.
    1,635 pointsBadges:
    report
  • TheRealRaven
    ODBC is an example that is most widely known for access to database objects that aren't easily visible nor accessible through a system command line or menu. There are many other methods that can access objects of any type, but there is no good reason to state the methods in a public Internet forum.
    21,845 pointsBadges:
    report
  • azohawk

    In theory: A hacker could come throught a back door with a valid profile (i.e. FTP) and delete everything on the system or create a destructive program on the system. 

    We give our users the ability to create their own queries (Query/400). In theory, someone courl create a query to create a database file. If they create the new database file with the same name as an existing file, all of the existing data would be deleted.

    I have not seen a valid reason for users to have *allobj authority. Depending on the size of the IT staff, likely not even all of the IT staff working on they system should have *allobj.  Someone that is only a developer, does not need *allobj.

    The problem with *allobj authority is that objects can be created, deleted, modified, and access authority changed. 


    2,565 pointsBadges:
    report
  • GregManzo
    Well, you can't really delete everything. On a Unix box you can type "DEL *.*" and it will start deleting everything up until it has deleted the DEL command, then it fails - but by then your system is screwed. On an IBMi box you can sign on as QSECOFR and type the equivalent: "DLTLIB *ALL", only to be told it isn't a valid thing to do. (this OS is smarter than most hackers). The general point though is valid: If a hacker gets hold of the password for a profile that has been given *ALLOBJ and gets into the system via any means you didn't think of he can start causing damage or stealing info.
    Bottom line: We are blessed with the most secure OS on the planet - don't blow that by deliberately giving *ALLOBJ to users that have no valid reason for it.
    1,635 pointsBadges:
    report
  • TheRealRaven
    Stealing info can definitely cause the most business damage, but it might not be the largest risk because it can be rare. Accidental damage is far more common, so generally has a much higher relative cost over for most businesses.

    A poorly configured /root file system and Windows shares have been a common past combination. Users who see odd objects showing up in Windows Explorer have been known to drag/drop them into their Windows Recycle Bin. It doesn't need to be 'everything'; a single shared directory can be disastrous if it disappears. If the authority to delete isn't granted, it won't happen.

    But on secondary note, with network connections, HMCs, virtual control panels, potential access to DST and emulator sessions, it can be much closer to "delete everything" than we'd like to image. Tiny risk, true. Still...
    21,845 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.

Following

Share this item with your network: