Closing Open Access to IFS
I have recently identified that we have open share access to the IFS on some of my systems. So much so that users who do not have profiles on the iSeries can access files on the IFS. WE can close them down and we did but it impacted the business so we have to open them again. WE need to understand who is accessing the IFS. I also need to understand the best way to allow the required access to continue yet shutting down the open access we have currently.
I recently gave the link to one of my colleagues who has nothing to do with the iSeries and they could browse the fils in the IFS. I need to close this down to only allow access to those who should have it.
Help is much appreciated.
Software/Hardware used:
V5R4M5, Power6,
I recently gave the link to one of my colleagues who has nothing to do with the iSeries and they could browse the fils in the IFS. I need to close this down to only allow access to those who should have it.
Help is much appreciated.
Software/Hardware used:
V5R4M5, Power6,
ASKED:
February 16, 2012 10:35 AM
UPDATED:
February 27, 2012 8:25 PM
Answer Wiki:
What version of the OS are you using? What is the security level (20, 30, 40, etc) ? When you say that closing them down hurt business, what do you mean?
A quick Google search did lead to some hits that may help.
http://wiki.rjssoftware.com/wiki/index.php/IFS_Tools_Commands
http://www.systeminetwork.com/article/databasesql/ifs-journal-monitor-7332
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/unix2b.pdf
You can see more here:
http://www.google.com/#hl=en&q=ifs+exit+programs&oq=ifs+exit+programs&aq=f&aqi=g-v1&aql=&gs_sm=12&gs_upl=218562l223547l4l264383l4l4l1l0l0l0l135l385l0.3l3l0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=54c6d44cb91ae02c&biw=1024&bih=635
To see all answers submitted to the Answer Wiki: View Answer History.
In iSeries Navigator, expand your connection down through Network-> Servers-> TCP/IP, and right-click the NetServer server to access Properties.
On the Security tab, see if a ‘Guest user ID:’ is assigned. If one is, remove it. A ‘guest’ profile is a profile that you create (or assign) on your iSeries, to be used whenever someone requests a connection but has no profile of their own.
(And surely you don’t have a share out over the /root file system nor over /QSYS.LIB itself, right?)
Tom
As for knowing who accesses files, you can create an exit program over the file server QIBM_QPWFS_FILE_SERV exit point. Your exit program can create a log of accesses, if that’s what you need.
It can also return a ‘Accept’ or ‘Reject’ indication back to the file server. How you analyze the request and make the decision is up to your programming. If you do nothing log accesses, you might consider ‘Accept’ for all accesses, or perhaps ‘Reject’ for accesses from outside your system’s local subnet, or any number of variations.
Tom
If you do nothing log accesses…
Should be “If you do nothing but log accesses…”.
Tom