16a as400 architecture and security
TRANSCRIPT
PART 16-A AS/400 ARCHITECTURE & SECURITY
Leen van Rijkpmg IRM vrije Universiteit amsterdam 31 March 2003
File 16-A AS400 architecture & security
2003
Contents
LvR/VU MAR/2003
CONTENTS History Architecture Application and Operating System/400 (AS/400 and OS/400) Physical security levels Logical security levels Object management Security implementation Special security feature Auditing (Part X. Only for the AS/400 auditor) Note AS/400 = hardware OS/400 = operating systemAS/400 architecture & security 2
1
Contents ...Contents Literature Highlights History Architecture Communication support Machine Interface AS/400 Database System Integrated File System Single level storage Object oriented Object types Physical security Logical security levels Integrity checking Special authorizations User classes Pre-defined user profiles User profile Group profile AS/400 architecture & security Group structure Object header authority Object data authority Object authority Grouping Public authorization Private authority Authorization list Authorization Check flow Adopted security Dedicated service tools Journaling Security definition interface ONLY FOR THE AS/400 AUDITOR: Limited users Library security Physical versus logical file security Authority holder Adopted security Journaling
LvR/VU MAR/2003
3
Optional literature
LvR/VU MAR/2003
OPTIONAL LITERATURE IBM AS/400 System Concepts IBM AS/400 Security Concepts & Planning IBM AS/400 Guide to enabling C2 security IBM Application System/400 Technology Ernst & Young A practical approach to logical access control McGraw-Hill (1993) (see chapter AS/400 access control) Ernst & Young Technical reference series: Audit, Control and Security of the IBM AS/400 (1994) (description, control objectives, audit questions) Fred de Koning e.a. Beveiliging en controle in een AS/400-omgeving Paardekooper & Hoffman (1995)AS/400 architecture & security 4
2
Optional literature . . .
LvR/VU MAR/2003
STRUCTURE OF:
Ernst & Young
AS/400 Audit Reference
Overview Hardware Software Logical access path Utilities Backup and Recovery Objects Libraries Initial menus and programs
System security system keylock system values authorities user and group profiles authorization lists etc.
Procedural and administrative controls Control Concerns Examples5
AS/400 architecture & security
Security topologyTOPOLOGY OF SECURITY LAYERSEnd user Network security Frontdoor Security in system/service Security in application Physical security of the computing center Computing center staff Access control Operating system Hardware
LvR/VU MAR/2003
Measures depend upon security objectives and the enterprises security strategy
DATA
Trusted Computing Base (TCB - certified using US Department of Defense standards)
Note: The security measures in the network, services and applications may use the Access Control in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.AS/400 architecture & security 6
3
Access path within AS/400 (MEY model) End users MIS personnel
LvR/VU MAR/2003
OS/400 communication functions OS/400 communication functions User profiles User profiles Initial menu Initial menu Application software Application software Command Command processors processors Tools & utilities Tools & utilities
AS/400 model, see Ernst & Young book on logical access control
OS/400 data base management functions OS/400 data base management functions
DATAAS/400 architecture & security 7
Object security Object security
OS/400
Highlights
LvR/VU MAR/2003
HIGHLIGHTS FOR THE EDP AUDITOR1. 2. 3. 4. 5. 6. Apropriate security levels active Identification, Authentication (User and Group profiles) Special Authorizations Public and Specific Authorization (including Authorization list) Dedicated Service Tools Journaling
AS/400 architecture & security
8
4
History of AS/400
LvR/VU MAR/2003
HISTORY OF APPLICATION SYSTEM/400 (AS/400) System/34 System/34 Data Base included in OS System/36 System/36 AS/400 AS/400 AS/400-Y10 PowerPC AS/400 PowerPC AS/400AS/400 architecture & security
1974 System/38 System/38 1978 1982 1987 19959
Architecture AS/400
LvR/VU MAR/2003
System System processor processorBCU BCU IOBU IOBU Display Printer IOBU IOBU
Main Main storage storageBCU BCU IOBU IOBU IOBU IOBU Communication DASD BE BE U U BE BE U U BCU BCU
DASD BCU IOBU BEU
= Direct Access Storage Device (disks) = Bus Control Unit = I/O Bus Unit (Communication Controller) = Bus Extentsion Unit10
AS/400 architecture & security
5
Architecture AS/400 ...
LvR/VU MAR/2003
ARCHITECTURE Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture
AS/400 architecture & security
11
Communication protocols
LvR/VU MAR/2003
PHYSICAL CONNECTION PROTOCOLSFor communication purposes AS/400 supports on the physical layer a variety of data link and network protocols A standard port is used for Logical ECS (Electric Customer Support) Optional adapters supports the protocols connection ASYNC (ASYNChronous) BSC (Binary Synchronous Communication) SDLC (Synchronous Data Link Control) X.21, X.25, X.31, V.24, V.35 and V.36 ISDN (Integrated Services Digital Network) Twinaxial Data Link Control Ethernet Token-ring FDDI (Fiber Distributed Data Interface) al Physic Wireless LAN n Fax (V.34) nnectiocoAS/400 architecture & security
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
12
6
Communication protocols ...
LvR/VU MAR/2003
NETWORK PROTOCOLSTo manage network access AS/400 supports the most common available network protocols.Logical connection Asynchronous Binary Synchronous Communications (BSC) System Network Architecture (SNA) Advanced Peer-to-Peer Network (APPN) Transmission Control Protocol/Internet Protocol (TCP/IP) Open Systems Interconnection (OSI) Multiprotocol Transport Networking (MPTN) Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
al Physic connecAS/400 architecture & security
tion13
Communication protocols ...
LvR/VU MAR/2003
APPLICATION COMMUNICATION PROTOCOLSTo enable applications using communication AS/400 supports call interfaces like Advanced Program-to-Program Communications (APPC) SNA Distribution Services (SNADS) Distributed Remote Data Access Open Systems Interconnection (OSI) Object Distribution Facility (ODF) Client Access/400 Transmission Control Protocol (TCP) File Transfer Protocol (FTP) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) User Datagram Protocol (UDP) Line Printer Requester/Line Printer Daemon Protocol al TELNET Physiction connecAS/400 architecture & security 14
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
7
Machine interface AS/400
LvR/VU MAR/2003
MACHINE INTERFACE AS/400
Compilers Utilities
Applications High-level machine15 LvR/VU MAR/2003 16
Operating System/400 (OS/400)Vertical Micro Code Horizontal Micro Code HardwareAS/400 architecture & security
Machine interface AS/400 ...
MACHINE INTERFACE AS/400 The AS/400 is a layered architecture machine To use the hardware only high-level machine instructions are available The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions The basic machine instructions are implemented by the HORIZONTAL MICROCODE layer and transfered to the hardware The hardware layer executes the instruction The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE With the PowerPC architecture there is only one layer of microcode to implement the machine interface.AS/400 architecture & security
8
Machine interface AS/400 ...
LvR/VU MAR/2003
The three machine layers, called the high-level machine, also provide many functions normally implemented in the Operating System TRADITIONAL TRADITIONAL OPERATING SYSTEM OPERATING SYSTEM Task management Task management Resource management Resource management Storage management Storage management Database management Database management Security management Security management etc. etc. TRADITIONAL TRADITIONAL HARDWARE HARDWARE Machine interface Machine interface Hardware Hardware OPERATING SYSTEM/400 (OS/400) AS/400 HARDWARE (Machine interface ) Task management Resource management Storage management Data access Database management Security management etc. Hardware
Note: Implementing functions in micro code benefits the systems performanceAS/400 architecture & security 17
Database system
LvR/VU MAR/2003
INTEGRATED DATABASE SYSTEMAS/400 has an integrated Database management system. It is a BASE feature of the AS/400 Within AS/400 Database access is only allowed by ONE Application Programming Interface (API). Access security will be done by this interface and there is no redundant access control mechanisme available. There is only one focal point for access control The Database is designed on two concepts The physical files, containing the data The logical files gives the posibility to define an alternate view to the data records and fields The user, when authorized, can access the data directly from the physical file or through the logical file The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base featuresAS/400 architecture & security 18
9
Database system ...
LvR/VU MAR/2003
INTEGRATED DATABASE SYSTEMThe AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are Open Database Connect (ODBC) from Microsoft Data Access Language (DAL) from Appel System Query Language Connect (SQL CON) from Oracle Distributed Relational Database Architecture (DRDA) from IBM
System ADatabase XAS/400 architecture & security
System BAS/400 Database Y19
Integrated File System
LvR/VU MAR/2003
INTEGRATED FILE SYSTEM (IFS)To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to the streamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are: Root file system: OS/2, DOS and Windows NT compatible QOpenSys file system: Posix, XPG, UNIX compatible QLANSrv file system: OS/2 Lan Manager compatible AS/400 File system XAS/400 architecture & security
File system Y20
10
Single level storage Traditional mainframe with an address space per user and separate data sets on disks OS/390 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space
LvR/VU MAR/2003
DI AR FFE CH RE IT NT EC TU RE
AS/400 - OS/400 264 bytes = 16.000.000 Tera bytes address space Object: program Object: program Object: screen Object: screen Object: data Object: data
DASD
AS/400: everything in one virtual address spaceAS/400 architecture & security 21
Single level storage ...
LvR/VU MAR/2003
SINGLE LEVEL STORAGEAS/400 provides single-level addressability of all virtual storage. This is transparent addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application
One virtual address spaceSYSTEM SYSTEM PROCESSOR PROCESSOR VAT
MAIN STORAGE MAIN STORAGE DIR paging
AUXILIARY STORAGE on DASD
VAT = Virtual Address Translation DIR = Directory used by VAT to keep track of virtual storage contents Note: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASDAS/400 architecture & security 22
11
Single level storage ...
LvR/VU MAR/2003
AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space
AS/400 VIRTUAL ADDRESS SPACE Program A123 Program A143 Program A123 Program A143 Data 5RF Data 5RF Command AB6 Command AB6 Queue QueueAS/400 architecture & security
Program XG63 Program XG63
o
Menu 567 Menu 765 Command UY Menu 567 Menu 765 Command UY Etc. etc. etc. till maximum space Etc. etc. etc. till maximum space23
cts je b
Data GFHJ Data GFHJ
Object oriented
LvR/VU MAR/2003
OBJECT ORIENTED DESIGNDefinition: Everything on the system that can be stored or retrieved is contained in an object The high level machine is designed to treat everything the same through the use of a generic object structure
General object structureObject type Object type Owner Owner Public Authorithy Public Authorithy etc. etc. OBJECT HEADER(Control Information)
FUNCTIONAL OBJECT (data)
Data (e.g., data records, programs, sources, etc. )) Data (e.g., data records, programs, sources, etc.AS/400 architecture & security 24
12
Object types
LvR/VU MAR/2003
OBJECT TYPESTo storage information in the AS400 system there are defined 73 different types of objects, e.g.
Type Library Data Program Source User profile Journal Job queue Output queue Device description Job description
Contents object names (like a directory) data records (database records) executable programs source of programs like cobol, pascal, C etc. userid descriptions and priviledges logging records jobs to handle output from jobs device parameters job control language25
AS/400 architecture & security
Object administration
LvR/VU MAR/2003
OBJECT ADMINISTRATIONSTART OBJECT SEARCH LIBRARY 1OBJECT X OBJECT X OBJECT Y OBJECT Y
OBJECT X MEMBER A MEMBER A MEMBER B MEMBER B MEMBER C MEMBER C OBJECT Y
QSYSLIBRARY 1 LIBRARY 2 LIBRARY 3
OBJECT Z OBJECT Z
LIBRARY 2 DATABASEOBJECT K OBJECT K OBJECT L OBJECT L OBJECT M OBJECT M
AS/400 architecture & security
26
13
Physical security
LvR/VU MAR/2003
KEYLOCK SWITCHOn front panel AS/400, with a physical key (to be stored safely)
Normal
Manual
SecureKeylock Keylock position position SECURE SECURE AUTO AUTO NORMAL NORMAL MANUAL MANUAL Power down Power down command command YES YES YES YES YES YES YES YES Remote or Remote or timed IPL timed IPL NO NO YES YES YES YES NO NO Main Main switch IPL switch IPL NO NO NO NO YES YES YES YES
AutoAttended Attended IPL IPL NO NO NO NO NO NO YES YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)AS/400 architecture & security 27
Logical security levels
LvR/VU MAR/2003
LOGICAL SECURITY LEVELSAS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter QSECURITY(xx) 10 - no security 20 - userid and password checking 30 - object authorization verification 40 - application must use AS/400 call interface 50 - DoD C2 security
Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the systemAS/400 architecture & security 28
14
Logical security levels ...
LvR/VU MAR/2003
DESCRIPTION OF SECURITY LEVELS 10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on 20 - User-profile and password must be defined prior to sign on 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources. 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possibleAS/400 architecture & security 29
Integrity checking
LvR/VU MAR/2003
INTEGRITY CHECKING ISOLATION: AS/400 has system state and user state programsSecurity level = 10, 20 and 30 user and system programs can freely interact with the high-level machine Security level = 40 the APIs (Application Program Interface) must be used by a user program to interact with a system program Security level = 50 the APIs must also be used by a user program to interact with another user programAS/400 architecture & security 30
15
Integrity checking ...
LvR/VU MAR/2003
INTEGRITY CHECKINGSystem State Domain no integrity problem System State Domain
integrity problem when not checked API must be used with level 40
integrity User State Domain problem User State Domain intentionally no problem no journalling of activities level 50 enforces use of API in the user domainAS/400 architecture & security 31
Special authorizations
LvR/VU MAR/2003
SPECIAL AUTHORIZATIONSWithin the AS/400 system there are definitions with a system wide authority scope. When a user is defined with a special authorization he/she is able to do
PRIVILEDGE ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE AUDIT IOSYSCFG
AUTHORIZED TO DO access every system resource create / change user profiles save / restore manipulate jobs on the system all spool functions service functions audit related functions change system configuration32
AS/400 architecture & security
16
User classes
LvR/VU MAR/2003
USER CLASSES ALLOBJ SERVICE SPLCTLSECADM
SECO
FR
IOSYSCFGR OP YS MR S PG
SECADM
JOBCTL SAVSYS
AS/400 architecture & security
33
User classes . . .
LvR/VU MAR/2003
USER CLASSESSpecial authorities can be grouped together. These grouping is called a USERCLASS class SECOFR SECADM SYSOPR PGMR USER authority
ALLOBJ SECADM SAVSYS JOBCTL SPLCTL SERVICE IOSYSCFG
10/20
10/20
10/20
10/20 10/20
Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ALLOBJ authority is assigned to this classes automaticly. The refers to security level 30, 40 and 50AS/400 architecture & security 34
17
Pre-defined user profiles
LvR/VU MAR/2003
PRE-DEFINED USER PROFILESWhen AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are QSECOFR QPGMR QSYSOPR QSRV QSRVBAS QUSER
Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized useridsAS/400 architecture & security 35
User profile
LvR/VU MAR/2003
USER PROFILEWith security level 20 or higher, the user can only access the system if there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be
USER PROFILE (is an object) Userid User class Group name (up to 16 groups) Initial program Initial menu Current library Password Password expiration Special authority Accounting code Limited capability
( Note: This is only a partial content )AS/400 architecture & security 36
18
Authentication
LvR/VU MAR/2003
AUTHENTICATIONSystem wide password syntax options QPWDMINLEN QPWDMAXLEN QPWDRQDDIF QPWDLMTCHR QPWDPOSDIF QPWDLMTREP QPWDLMTAJC QPWDVLDPGM QPWDRQDDGT minimum length of password maximum length (up to 10 characters) new password must differ from 32 previous specify up to 10 characters not allowed for password character in new must be different from character in same position in old characters not be used more than once numbers 0 to 9 not next to another use password syntax checker at least one numeric maximum number of days the password is valid maximum number of unsuccessful sign-on attempts display date/time of last sign-on etc. after successful sign-on37
Other system wide password options QPWDEXPITV QMAXSIGN QDSPSGNINFAS/400 architecture & security
Group profile
LvR/VU MAR/2003
GROUP PROFILEA group profile has the same structure as a user profile: it becomes a group profile when it is named as a group in a user profile. The contents of the group profile may be
GROUP PROFILE (is an object) Userid User class Group Initial program Initial menu Current library (is groupname) (class for group) (NONE) (not relevant) (not relevant) (not relevant) (NONE) Password expiration (not relevant) Password Special authority
(for group) Accounting code (not relevant) Limited capability (not relevant)
( Note: This is only a partial contents )AS/400 architecture & security 38
19
Group structure
LvR/VU MAR/2003
GROUP STRUCTUREGroup profile Group profile GROUP A GROUP A Group profile Group profile GROUP B GROUP B
User profile User profile USER A1 USER A1 Group=A Group=A
User profile User profile USER A2 USER A2 Group=A,B Group=A,B
User profile User profile USER B1 USER B1 Group=B Group=B
User profile User profile USER B2 USER B2 Group=B Group=B
The groups are independent definitions and do not have any relation to one another A user can be a member of maximum 16 groupsAS/400 architecture & security 39
Object header authority
LvR/VU MAR/2003
OBJECT HEADER AUTHORITY HEADER HEADER
functional data functional data
AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information This authority is specific for every user-object combination. The user may
AUTHORITY
ACCESS RIGHTS to HEADER use/look at the object information grant other users to use the object totally control the object
OBJOPR OBJMGT OBJEXISTAS/400 architecture & security
!40
20
Object data authority
LvR/VU MAR/2003
OBJECT DATA AUTHORITYheader header
FUNCTIONAL DATA FUNCTIONAL DATA
Prior to access the contents of the object, the user must have at least OBJOPR authority to the object. If so, data access can be controlled with five different levels
AUTHORITY
ACCESS RIGHTS to FUNCTIONAL DATA- Read the entries of the functional data - Add entries to the functional data - Update entries of the functional data - Delete entries of the functional data - Only execute the related program
READ ADD UPD DLT EXECUTE
!41 LvR/VU MAR/2003
AS/400 architecture & security
Object authority
OBJECT AUTHORITYThe get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data. PUBLIC authority START SEARCH
OBJOPR READ
data
AS/400 architecture & security
42
21
Object authority grouping
LvR/VU MAR/2003
OBJECT AUTHORITY GROUPING OBJEXIST OBJMGTCHANGE
ALLSE
U
DLT
OBJOPR READ UPD ADD
AS/400 architecture & security
43
Object authority grouping . . .
LvR/VU MAR/2003
OBJECT AUTHORITY GROUPINGObject header and functional data access authorities can be grouped to system defined values, controlling the access to the object Combination Object authority Data authority
USE CHANGE ALL
OBJOPR OBJOPR OBJOPR OBJMGT OBJEXIST
READ READ, ADD, UPD, DLT READ ADD UPD, DLT
EXCLUDE Access always denied LIBCRTAUT Access determined by the library where the object is USER DEFregistered Combination defined by the user
AS/400 architecture & security
44
22
Public authorization
LvR/VU MAR/2003
PUBLIC AUTHORIZATIONWhen most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation
OBJECT HEADER OBJECT HEADER
Object type Object type Owner Owner PUBLIC authority USE PUBLIC authority USE
All Users
FUNCTIONAL DATA FUNCTIONAL DATANote: In this example all users have read access to this object (USE includes OBJOPR and READ)AS/400 architecture & security 45
Private authority
LvR/VU MAR/2003
PRIVATE AUTHORITYWhen a specific user must have limited or higher access rights related to the public authority, the users access is administrated in his/her user profile extension header header user information user information list of owned objects list of owned objects LIST OF OBJECTS AUTHORIZED LIST OF OBJECTS AUTHORIZED TO ACCESS WITH THE AUTHORITY TO ACCESS WITH THE AUTHORITY OBJEXAMPLE CHANGE OBJEXAMPLE CHANGE Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object headerAS/400 architecture & security 46
USER PROFILE (is an object)
Single User
23
Authorization list
LvR/VU MAR/2003
AUTHORIZATION LISTAnother possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects An object can be connected to this authorization list The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list
AS/400 architecture & security
47
Authorization list ...
LvR/VU MAR/2003
AUTHORIZATION LIST CONTENTSThe authorization list by itself is also an object. The list is treated as every other object in the system header header ANJA ANJA EDWIN EDWIN RONALD RONALD LEEN LEEN PUBLIC PUBLIC
AUTHORIZATION LIST (is an object) ALL ALL CHANGE CHANGE USE USE AUTLMGT AUTLMGT EXCLUDE EXCLUDE
The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called AUTLMGT. This gives the user (or group) the ability to maintain this authorization list Note: When the public authorization in the object specifies that the authority list will be used the entry PUBLIC will give the public authorizationAS/400 architecture & security 48
24
Authorization list ...
LvR/VU MAR/2003
AUTHORIZATION LIST CONNECTIONWhen an object is created or changed the authorization list can be specified. The architecture gives the possibility to specify only ONE list per object Authorization List ABC Object authorizations are defined in Authorization List ABC Object type Object type Owner Owner AUTHORIZATION LIST ABC AUTHORIZATION LIST ABC Public authority AUTL Public authority AUTL Functional data Functional data
ANJA ALL EDWIN CHANGE RONALD USE AUTLMGT LEEN PUBLIC EXCLUDE
Note: In this example the public authority is now used from the authorization list entry PUBLICAS/400 architecture & security 49
Authorization check flow
LvR/VU MAR/2003
AUTHORIZATION CHECK FLOWAuthorization check flow sequence: 1. Special authority of the user 2. Specific authority of the user 3. User on authorization list 4. Special authority of the group 5. Specific authority of the group 6. Group on authorization list 7. PUBLIC authority in object 8. PUBLIC on authorization list AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop This mechanism is called exclusive access control and is the opposite of accumulated access controlAS/400 architecture & security 50
25
Adopted security
LvR/VU MAR/2003
ADOPTED SECURITY AS/400 security allows a user to adopt the access authorization of the owner of a program When a user is allowed to execute a program owned by another user, the authority can be adopted The user then has the same access authority to the objects as the owner of it ! d we LUDE llo DATA B23 EXC DATA B23 ta no
USE fo r BAS
User AAS/400 architecture & security
Via program BAS of user B: allowed User B51
Adopted security ...
LvR/VU MAR/2003
ADOPTED SECURITY: an exampleOwner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BASAS/400 architecture & security 52
26
Adopted security: another example
LvR/VU MAR/2003
ADOPTED SECURITY: another exampleWhen a program allows adoption of the authority of the program owner, the program must be created with the command CRTPGM PROG(B2S) USRPRF(OWNER) When program adoption is active, the authority will be propagated by subsequently called programs DATA X24 DATA X24U SE for
B2S
User AAS/400 architecture & security
User B
User X53
Adopted security: another example ...
LvR/VU MAR/2003
ADOPTED SECURITY: another example User A has USE for program B2S EXCLUDE for data X24Owner user B Owner user B PROGRAM B2S: call program X2U PROGRAM B2S: call program X2U
USEOwner user X Owner user X PROGRAM X2U PROGRAM X2U
DATA X24 DATA X24
PROGRAM X2U has ALSO USE authority to DATA X24 Note: Adopted security is the only accumulated security within AS/400AS/400 architecture & security 54
27
Dedicated Service Tools
LvR/VU MAR/2003
DEDICATED SERVICE TOOLSDedicated service tools are used to solve problems occuring in the licensed internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization SECURITY Used by the security officer to do all DST functions and change the DST passwords FULL To use all DST functions except DST passwords changes BASIC To use DST functions not affecting sensitive data Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be resetAS/400 architecture & security 55
Journaling
LvR/VU MAR/2003
JOURNALINGThe journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types AS/400 AS/400 SECURITY EVENT SECURITY EVENT Journal activated Journal activated with system value with system value QAUDJRN ((JRN) QAUDJRN JRN) Journal level activated Journal level activated with system values e.g. with system values e.g. AUTFAIL PGMFAIL AUTFAIL PGMFAIL Security officer Security officer Journal receiver Journal receiver USERRECV USERRECVAS/400 architecture & security 56
28
Security definition interface
LvR/VU MAR/2003
SECURITY DEFINITION INTERFACEMenu interface (started with GO SECURITY) Define User Profile User Profile Password Password Expired User Class Current library Initial Program Initial Menu == > command ________ ________ ________ ________ ________ ________ ________ Command interface CRTUSRPRF CHGUSRPRF DLTUSRPRF DSPUSRPRF CHGPWD DSPAUTUSR CHGPRF WRKUSRPRF Create user profile Change user profile Delete user profile Display user profile Change password Display authorized users Change profile (normal users) Work with user profile
AS/400 architecture & security
57
ONLY FOR THE AS/400 AUDITOR
LvR/VU MAR/2003
PART X PART X ADDITIONAL INFORMATION ADDITIONAL INFORMATION ONLY FOR THE AS/400 AUDITOR ONLY FOR THE AS/400 AUDITOR
AS/400 architecture & security
58
29
Limited users
LvR/VU MAR/2003
LIMITED USERSRestrictions can be defined in the user profile, the so called limited capability (LMTCPB) Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line
AS/400 architecture & security
59
Library security
LvR/VU MAR/2003
LIBRARY SECURITYTo administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least USE access to the library to search for the objects described in it Give the public authority for the objects in the library as high as necessary and the public authority for the library EXCLUDE Authority for the library must be given to individual users
AS/400 architecture & security
60
30
Library security ...
LvR/VU MAR/2003
LIBRARY SECURITY USER C USER B has USEPublic USE Public USE DATA DATA Public USE Public USE DATA DATA Public USE Public USE DATA DATAAS/400 architecture & security 61
LIBRARY AOwner user A Owner user A Public authority EXCLUDE Public authority EXCLUDE OBJECT A OBJECT A OBJECT B OBJECT B OBJECT C OBJECT C etc. etc.
Physical versus logical file security
LvR/VU MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITYA physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data The following physical file object P cannot be accessed directly because the user has no access to the header information By given access to a logical file with certain view to the physical data, a user only has access to that part of the data
AS/400 architecture & security
62
31
Physical versus logical file security ...
LvR/VU MAR/2003
PHYSICAL VERSUS LOGICAL FILE SECURITYOBJECT L1 Public authority OBJOPR Public authority OBJOPR Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS A EN B FIELDS A EN B PHYSICAL FILE P PHYSICAL FILE P OBJECT L2 Public authority CHANGE Public authority CHANGE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS X EN Y FIELDS X EN Y PHYSICAL FILE P PHYSICAL FILE PAS/400 architecture & security 63
FILE P Public authority NONE Public authority NONE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS FIELDS DATA DATA
Authority holder
LvR/VU MAR/2003
AUTHORITY HOLDERAS/400 gives the opportunity to setup an object authority before the creation of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the objects data part when the data is created AUTHORITY HOLDER Public authority USE Object header created in advance
Connected when DATA is created DATA created in the future
AS/400 architecture & security
64
32
Adopted security
LvR/VU MAR/2003
ADOPTED SECURITY: an exampleOwner user B Owner user B Public authority EXCLUDE Public authority EXCLUDE
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BASAS/400 architecture & security 65
Adopted security: search sequence
LvR/VU MAR/2003
ADOPTED SECURITY: SEARCH SEQUENCEThe search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B SEARCH SEARCH Library B containing program A and program B Library B containing program A and program B Library A containing program A Library A containing program A
If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach Library A containing program A Library A containing program A Library B containing program A and program B Library B containing program A and program B66
AS/400 architecture & security
33
Adopted security ...
LvR/VU MAR/2003
ADOPTED SECURITYTo eliminate the possibility to use the library sequence the program call should supply the library name by using the qualified name in the CALL command CALL Lib (B)/PROGRAM(A) Program A will only be used from lib B Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow
AS/400 architecture & security
67
Journaling
LvR/VU MAR/2003
JOURNALINGTo activate journaling the security officer must create the QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions The journal is created with the following commands CRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(JRN) QAUDLVL(AUTFAIL PGMFAIL) JRNRCV(USERRECV) To set the level of journaling the system value QAUDLVL must be set. Possible values are
NONE, AUTFAIL, SAVRST, DELETE, SECURITY, CREATE, OBJMGT and PGMFAILAS/400 architecture & security 68
34