QSECURITY
iSeries, iSeries applications, iSeries Cobol programming, iSeries data center, iSeries RPG programming
Hi,
I would like to know if there is a security loophole on QSECURITY 30?
What is the difference of QSECURITY 30 and 40?
Thank you.
JL
Software/Hardware used:
Software/Hardware used:
ASKED:
November 8, 2011 8:03 AM
UPDATED:
March 19, 2012 1:18 PM
Approved Answer - Chosen by Jedlasquite (Question Asker)
I would like to know if there is a security loophole on QSECURITY 30?
"Loophole"? I don't know if I'd say it that way. Programmers on QSECURITY=30 can access elements of the system that need to be restricted at many sites. Each QSECURITY level tightens restrictions more.
What is the difference of QSECURITY 30 and 40?
As the help text says, the difference is that level 40 adds this restriction:
- Programs fail if they try to access objects through interfaces that are not supported.
Various MI functions are blocked at 40 that are unblocked at 30. Programs must use appropriate IBM APIs in place of blocked MI functions.
It doesn't matter if the programs are created on the system or restored from a different system. The restricted functions are blocked at run-time.
Tom
thanks Tom
By the way what is MI?
what is MI?
A basic answer is “Machine Interface” or maybe better is TIMI or “Technology-Independent Machine Interface”.
The AS/400 operating system doesn’t exactly run on any real machine or hardware. It runs on top of a ‘machine interface’, a kind of microcode layer that presents a set of ‘machine instructions’ that look pretty much the same no matter what hardware is actually underneath everything. It’s kind of like how java manages to run on so many different systems without needing to change the java instructions.
Many MI functions are exposed for use to ILE programs. You can also write MI programs and use a kind of assembler API to compile them.
Exactly how deep you can go down into things is part of what QSECURITY helps to control.
Tom
Eg : If you want to create User Space in your system, QSECURITY Value should be 40.
It will restrict us to do some operation
yeah with level 40 it will surely it will be tighter security and if an id that has special authority, u will need your own session name
If you want to create User Space in your system, QSECURITY Value should be 40.
A user space (*USRSPC object) can be created at any QSECURITY level. The QALWUSRDMN system value can restrict which libraries may contain *USRSPC (or any user domain *USRxxx) objects.
Tom
thank you for the inputs. just to add
Assuming if I were to toggle the QSECURITY value to 40 and most of our programs and interfaces fails, would I fix it by reverting back to QSECURITY value to 30 without restarting server and services?
Also, in QAUDLVL, can I add *AUTFAIL and *PGMFAIL even if my audit journal is already running? Will it take effect immediately?
Thanks
…in QAUDLVL, can I add *AUTFAIL and *PGMFAIL even if my audit journal is already running? Will it take effect immediately?
The audit levels can be changed at any time. The ‘help’ text for QAUDLVL includes:
…if I were to toggle the QSECURITY value to 40 and most of our programs and interfaces fails, would I fix it by reverting back to QSECURITY value to 30 without restarting server and services?
QSECURITY is necessarily more intrusive than QAUDLVL and other system values. Higher restrictions cause different system components to be loaded/initialized when the system starts up. Therefore, as the ‘help’ for QSECURITY states:
Tom