Comments on: Can anyone provide a list of “Best Practices” or recommended commands to secure from command line users…???

By: tomliotta

tomliotta — Tue, 10 Aug 2010 05:45:38 +0000

One way to answer this is to create a simple user profile with no authority but with command-line access. Then run this command:

DSPOBJD OBJ(*ALL/*ALL)
        OBJTYPE(*CMD)
        OUTPUT(*OUTFILE)
        OUTFILE(QTEMP/CMD)

Use RUNQRY or SQL to create a list of names that begin with STR*, END*, CFG*, CLR*, CPY*, RMV*, RST*, SAV*, ADD*, CRT*, CHG* and WRK*. You probably should include DSP*, HLD*, RLS*, GRT*, RVK*, EDT*, OVR*, PRT*, RCL* and RNM*. Other than those, you probably should review the rest on an individual basis to see if you want them included. You need to look at all of the others because you can’t afford to skip commands such as CALL which obviously trumps almost all of the others.

Then feed the list into a CL program that grants *EXCLUDE authority for each individual on the list.

Note that you need to run this against *ALL commands in *ALL libraries, not just QSYS. Commands from 3rd-party products or utilities shouldn’t be missed nor home-grown commands.

If that seems excessive, be aware that a command that seems as harmless as ADDMSGD can lead directly to total control of your system. Many commands can be as powerful as ADDMSGD. (Long-time AS/400 developers can recall when IBM finally changed QCPFMSG to restrict users from changing it. The same vulnerability exists in every other message file that might be found anywhere on your system.)

Tom

By: woodengineer

woodengineer — Mon, 19 Oct 2009 16:03:06 +0000

According to IBM, the best practice is to secure the data. Once the data is secure you do not need to worry about the commands. Its probably also easier to secure the data than the commands because you know your data files and libraries. Keeping up with IBM’s commands and exit points could consume a lot of your time.

The group profile feature is a handy to secure data efficiently. When users are hired or fired, just delete the group profile reference from the user’s profile and you are covered.

By: iseriesvet

iseriesvet — Tue, 07 Oct 2008 17:17:53 +0000

Maybe the question is what do your users with command line access (excluding administrators) need access too? The common thing I have done is to remove command line access, but provide a menu that will perform the items that they need to perform. There may even be things that can be filled in for the user when prompting the command, to restrict the access even further. I have also written some basic programs that perform functions with adopted authority, so the user doesn’t need a high level of security to perform these functions.

Please also remember that if you install Iseries Navigator, many things can be done from there – but it is quite easy to limit what the users can do in this utility. However, if you don’t limit them there the back door is wide open. I can even execute CL commands (or their equivalents) from the DB function in Iseries Navigator, so having appropriate object level security is still important.

By: tpinky

tpinky — Wed, 01 Oct 2008 21:14:10 +0000

You can also look at this website on IBM System i Security Guide…

http://www.redbooks.ibm.com/abstracts/sg246668.html