2010 db security

OS/400 SECURITY

Data Base Security

Presented byWayne O. Evans

2

OS/400 SecurityDISCLAIMER

The security recommendations and any programsource are offered "AS IS" for your consideration.Wayne O Evans Consulting makes no warrantiesor representations as to the quality of the examples.ALL WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE, ARE SPECIFICALLY DISCLAIMED.

REPRODUCTIONPermission is granted to make

a limited number of copies ofthis material for non-commercial purposes provided this pageand the title page are includedwith all copiesiSeries, AS/400 and OS/400 are registered trademarks of the IBM Corporation.

Wayne O Evans5677 W Circle Z StTucson, AZ 85713Tel (520)-578-7785

[email protected]

3

DB Security OutlineLogical Files Column Level Security DB Exit Programs

4

NAME SALARY DEPARTMENTELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance

Limited access

Protect Sensitive Data

Production files may contain sensitive and less sensitive data.

5

Hide Sensitive Fields

NAME DEPARTMENT

View orLogical File


Table orPhysical File

Logical file with sensitive fields removed

6

Prevent Access to Physical File

NAME SALARY DEPARTMENT

ELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance

Table orPhysical File

*PUBLIC *READ *ADD *UPD*DLT

*OBJOPR authority is required to open a file. To prevent access to sensitive fields do not give users *OBJOPR to physical file

7

Allow Access to Logical File

*OBJOPR authority is required to open a file. To allow access to non-sensitive fields give users *OBJOPR to logical file

NAME DEPARTMENT

View orLogical File

*PUBLIC *OBJOPR *READ *ADD *UPD *DLT

8

Logical FilesLogical files use system security to

protect fieldsProtects all interfaces

May require several logical files when different fields are give to different groups of users.

9

DB Security OutlineLogical Files Column Level Security DB Exit Programs

10


Limited access

Column Level Security

Column level security provides a way to limit update and reference access

Read level access not supported yet

11

Column-Level SecurityCurrent Alternatives

Application Program Code limits accessPrograms prevent access to prevent access to data base objectsPROS: More flexible security checkingCONS: Not enforced on all interfaces

Extra programming required

12

Column-Level SecurityCurrent AlternativesLogical Files or SQL views

Files created “hide” sensitive columns PROS: System does workCONS: Not enforced on all interfaces

Overhead of creating logical file for each different view

13

Column-Level SecurityCurrent Alternatives

Stored procedures for ODBC accessStored procedures use adopted authority to gain access PROS: More flexible security checkingCONS: Not enforced on all interfaces

Extra programming required

14

Column Level Security

SQL statements GRANT and REVOKE define column level authorities

CL command DSPOBJAUT is used to display column level authorities

15

On the SQL entry screen enter

Column Level SecurityData base administrator enters

GRANT SELECT,UPDATE(name) ON TABLE myfile TO public

GRANT SELECT,UPDATE(name, department) ON TABLE myfile TO woepgmr

CREATE TABLE myfile (name CHAR(40), salary INTEGER, department CHAR(50))

STRSQL

16

DSPOBJAUT MYFILE *FILE

F16 - shows field level authorities

17

Field Authorities

18

Column Level SecurityColumn level authorities are stored with

the fileRestoring user profiles will not restore

column level authority

Column level authority is enforced on the update operation(Update is rejected only when the column being restricted is modified)

19

Objects Permissions

20

CLICK

RightClick

CLICK

23

Column Level Security V4R2

Point and click on checkboxto modify column security

24

DB Security OutlineLogical Files Column Level Security DB Exit Programs Overview Sample Exit Programs

iSeries Navigator (File Transfer and ODBC)

FTP

25

Many Ways to Transfer Data

DDM -Distributed Data Management FTP - File Transfer Protocol Client AccessFile transferODBC

26

Need to Limit Users Access

Users are authorized to data because of existing applications

Need exists to prevent the user from using their access outside of applications

EXIT PROGRAMS provide a way to screen user actions

27

Exit Programs

Registration Facility

Exit ProgramOverview

28

Identifying Exit Programs• Network attributes - DDMACC - PCSACC

The exit program supplements existing object security

Request1-okExit

PGMserver

0-No Perform the request

DDMACC or PCSACC

EXIT1

• Registration facility

WRKREGINF

Exit ProgramQIBM_... Pgm QIBM_... Pgm QIBM_... Pgm

29

Exit Programs SupplementObject Level Security

EXIT PROGRAMS

Prevent specific operations file transfer remote commands

Restrict access to specific libraries

Monitor Use Record activity for usage analysis

30

Exit Programs SupplementObject Level Security

EXIT PROGRAMS

Prevent specific operations file transfer remote commands

Restrict access to specific libraries

Monitor Use Record activity for usage analysis

31

Exit Program Flow

sends requestto AS/400

request

EXIT1

TARGET SYSTEM

TARGET1. SOURCE system

SOURCESYSTEM

3. User exit program looks at request and sets return code

1= accept request 0= reject request request

2. AS/400 calls exit program named in network attribute DDMACC or PSCACC or Registration Facility

DDMACC or

PCSACCEXIT1

WRKREGINF

Exit ProgramQIBM_... Pgm QIBM_. EXIT1 QIBM_... Pgm

32

Exit Programs

Registration Facility

Exit ProgramOverview

33

Network Attribute PCSACC

*OBJAUT

PGM-name

*REJECT

Object authorizations are checked for this client requestReject all server requests from clients

Exit program name called by all requests

Prior to V3R1Network Attribute values:

ALL REQUESTS

1-ok

serverExitPGM 0-No

• Every request invokes same exit program• Overhead of exit program for requests that are not restricted

34

EXIT PROGRAM

1-ok serverExitPGM 0-No

When network attribute names a program, all requests are handled

by the same exit

Shared FoldersFile TransferRemote CommandsAPI'sMessages RCV/SNDPrinter Support

REQUESTS

Performance overhead on all requests

PCSACCEXIT-PGM-Name

35

Network Attribute Use the system's registration facility to determine which exit program to run.

REQUESTS 1-ok serverExitPGM 0-No

REQUESTS 1-ok serverExitPGM 0-No

REQUESTS server

PCSACC*REGFAC

Multiple Exits Possible

No exit (overhead) for some servers

36

Do I need to use registration facility?Comparison

exit-pgm

serverAll REQUESTS ExitPGM

Overhead• All requests checked• More complex logic (larger program)

*REGFAC

serverREQUESTS

serverExitPGMREQUESTS

Overhead Reduced• Selected requests checked• Program logic simpler

RECOMMEND: Use registration facility ➤ Performance advantage ➤ Can check more request types

37

Work with Registration Information 5=Display exit point 8=Work with exit programs Exit Exit Point RegistOpt Point Format ered Text_ QIBM_QGW_NJEOUTBOUND NJEO0100 *YES Network Job Entry _ QIBM_QHQ_DTAQ DTAQ0100 *YES Original Data Queue_ QIBM_QLZP_LICENSE LICM0100 *YES Original License Mgmt _ QIBM_QMF_MESSAGE MESS0100 *YES Original Message_ QIBM_QNPS_ENTRY ENTR0100 *YES Network Print- entry_ QIBM_QNPS_SPLF SPLF0100 *YES Network Print- spool_ QIBM_QNS_CRADDACT ADDA0100 *YES Add CRQ description_ QIBM_QNS_CRCHGACT CHGA0100 *YES Change CRQ desc_ QIBM_QNS_CRDLTSBMCRQ DLTA0100 *YES Delete submitted CRQ_ QIBM_QNS_CRDSPACT DSPA0100 *YES Display CRQ desc_ QIBM_QNS_CREXCACT EXCA0100 *YES Run CRQ activity More... Command ===> ____________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel

Work with Exit ProgramsWRKREGINF

• Exit program for specific function• Multiple programs can be defined

38

Work With Exit ProgramsExit Point: QIBM_QZRC_RMT Format:CZRC0100 Type Options, Press Enter.

1=add 4=remove 5=display 10=replace Exit Program Exit Opt Number Program Library __ __________ __________

Command==>________________________________F3=exit F4=prompt F5=refresh F9=retrieve

Work with Exit Programs• Exit program for specific function• Multiple programs can be defined

1 EXIT1 MYLIB

39

DB Security Outline

Logical Files Column Level Security DB Exit Programs Overview Sample Exit Programs


FTP

40

Field Format SizeUser profile name Char 10Application name Char 10Function Char 10Object name Char 10Library name Char 10Object type Char 7Format name Char 10Variable data length Zoned 5, 0Variable data Char *

CALL EXIT (RTNCDE STRUCTURE)

'0' NO'1' OK

Exit Programs

Format detail is described in AS/400 Distributed Data Management SC41-5307 Client Access Server Concepts SC41-5740

41

Applic function / operationation*LMSR license management REQUEST RELEASE*VPRT virtual print EXTRACT CHECK OPEN*TFRFCL file transfer SELECT JOIN REPLACE EXTRACT AS/400 -> PC retrieve information SELECT AS/400 -> PC download file JOIN AS/400 -> PC download joined file REPLACE PC --> AS/400 UPLOAD file

Operation code by Function

42

Applic function / operationation*FLRSRV shared folders type 2 CHANGE CREATE DELETE EXTRACT MOVE OPEN RENAME*MSGFCL messages SEND RECEIVE*DDM distributed data management ADDMBR DELETE RENAME CHANGE EXTRACT RGZMBR CHGMBR INITIALIZE RMVMBR CLEAR LOAD RNMMBR COMMAND COPY MOVE LOCK CREATE OPEN UNLOAD

Operation code by Function

43

PGM PARM(&RTNCODE &DATA) DCL &DATA *CHAR 30 DCL &RTNCODE *CHAR 1 DCL &FUNC *CHAR 10 CHGVAR &FUNC (%SST(&DATA 21 10)) IF (&FUNC = 'COMMAND ') + THEN( CHGVAR &RTNCODE '0') ELSE CHGVAR &RTNCODE '1'ENDPGM

PREVENT REMOTE COMMANDS

2. Change network attributesCHGNETA DDMACC(STOPCMDS)

1. Create CL programCRTCLPGM STOPCMDS SRCFILE( )

44

Prevent Remote Commands and File Upload

/****************************************************//* Installation instructions *//* 1. Compile program *//* CRTCLPGM PGM(LIB/EXIT1) *//* SRCFILE( ) USRPRF(*OWNER) *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* CHGOBJOWN OBJ(LIB/EXIT1) *//* OBJTYPE(*PGM) NEWOWN(QSECOFR) *//* 3 Name the exit program in network attributes *//* CHGNETA DDMACC(LIB/EXIT1) *//* PCSACC(LIB/EXIT1) *//* *//* The audit journal QAUDJRN entries created are: *//* 'X1' = Requests that are allowed *//* 'X0' = Requests that are rejected *//****************************************************/PGM (&RC &STRU ) DCL &RC *CHAR 1 /*Return 1=allow */ /* 0=prevent*/ DCL &STRU *CHAR 200 /*Request description*/ DCL &USER *CHAR 10 /*User profile name */ DCL &APP1 *CHAR 10 /*Requested function */ DCL &APP2 *CHAR 10 /*Sub function */ DCL &TYPE *CHAR 2 /*Journal entry type */

1 of 2

45

MONMSG CPF0000 EXE(GOTO EXIT) /*If error exit*/ CHGVAR &RC '1' /*Allow request*/ CHGVAR &USER %SST(&STRU 1 10) /*Get user */ CHGVAR &APP1 %SST(&STRU 11 10) /*Get appl */ CHGVAR &APP2 %SST(&STRU 21 10) /*Get function/ /*Do not log IBM request to check license */ IF (&APP1 = '*LMSRV') GOTO EXIT IF &USER = 'XXXXXXXXX') GOTO LOG /* Prevent use of remote commands */ IF (&APP1 = '*DDM' *AND &APP2 = 'COMMAND') + CHGVAR &RC '0' /* Prevent the request */ ELSE /* Prevent file upload from PC users */ /* File download to PC is not prevented */ IF (&APP1 = '*TFRFCTL' *AND &APP2 = 'REPLACE') + CHGVAR &RC '0' /* Prevent the request */ /* Log request in the audit journal */LOG:CHGVAR &TYPE ( 'X' *CAT &RC) SNDJRNE QAUDJRN TYPE(&TYPE) &ENTDTA(&STRU)EXIT:ENDPGM

Prevent Remote Commands and File Upload

2 of 2

Good Way to Monitor Use

46

Exit1 = Original File TransferExit2 = Data Base Server

QIBM_QTF_TRANSFERQIBM_QZDA_NDB1

The Exit Will Depend Upon the Operating Client Operating System

File Transfer from following interfaces

DOSDOS extended

Windows 3.x

OS/2

OS/2 Optimized

Windows 95/NTOptimized

N/A

N/A

N/A

EXIT2

EXIT2

EXIT2

N/A

N/A

N/A

EXIT2

EXIT2

EXIT2

N/A

EXIT1

EXIT1

EXIT1

EXIT1

N/A

EXIT1

EXIT1

EXIT1

EXIT1

EXIT1

EXIT2

APIPC5250

Emulation ODBCRumbaEmulation

InteractiveInterface

GUI

EXIT1

EXIT1

EXIT1

EXIT1

EXIT1

EXIT1

OperatingSystem

47

Exit Program Usage

EXIT2EXIT1

Original File Transfer

Windows 95 and NT File Transfer

2. Limit all file transfer based upon library name Up load from UP_LIB Down load from DOWN_LIB

1. Two programs are required because parameters are different

3. Log requests in audit journal

Note: Not possible to determine the type of request for EXIT2. Allow transfer (UP and DOWN) in either library.

48

Installation Instructions

CRTCLPGM PGM(XXX/EXIT1) SRCFILE(XXX/QCLSRC) + USRPRF(*OWNER)CRTCLPGM PGM(XXX/EXIT2) SRCFILE(XXX/QCLSRC) + USRPRF(*OWNER)

1. Compile programs

CHGOBJOWN OBJ(XXX/EXIT1) OBJTYPE(*PGM) + NEWOWN(QSECOFR) CHGOBJOWN OBJ(XXX/EXIT2) OBJTYPE(*PGM) + NEWOWN(QSECOFR)

2. Change owner

Adopt owners authority to allow the programs to send to the audit journal

49

Installation Instructions

ADDEXITPGM EXITPNT(QIBM_QTF_TRANSFER) + FORMAT(TRAN0100) PGMNBR(1)+ PGM(XXX/EXIT1) + TEXT('Limit to specific Libraries')

ADDEXITPGM EXITPNT(QIBM_QZDA_NBR1 ) + FORMAT(ZDAD0100) PGMNBR(1)+ PGM(XXX/EXIT2) REPLACE(*NO) + TEXT('Limit to specific libraries')

3. Register the exit programs

CHGNETA PCSACC(*REGFAC)

4. Update the network attribute

50

/*==========================================================*//* To compile: *//* CRTCLPGM PGM(XXX/EXIT1) SRCFILE(XXX/QCLSRC) +*//* USRPRF(*OWNER) *//* installation instructions: *//* 1. Compile program *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* CHGOBJOWN OBJ(XXX/EXIT1) OBJTYPE(*PGM) + *//* NEWOWN(QSECOFR) *//* 3. Name the exit program in registration facility *//* ADDEXITPGM EXITPNT(QIBM_QTF_TRANSFER) + *//* FORMAT(TRAN0100) PGMNBR(1)+ *//* PGM(XXX/EXIT1) + *//* text('limit to specific libraries') *//* 4. Set registration facility in the network attribute *//* CHGNETA PCSACC(*REGFAC) *//* The request is recorded in the audit journal *//* The audit journal QAUDJRN entries created are: *//* 'X1' = requests that are allowed *//* 'X0' = requests that are rejected *//*==========================================================*/PGM PARM(&RC &STRU) DCL VAR(&RC) TYPE(*CHAR) LEN(1) /*1=allow 0=prevent*/ DCL VAR(&STRU) TYPE(*CHAR) LEN(80) /* request description */

EXIT1 - Original File Transfer Exit 1 of 3

51

DCL VAR(&USER) TYPE(*CHAR) LEN(10) /* user profile */ DCL VAR(&APP1) TYPE(*CHAR) LEN(10) /* function */ DCL VAR(&APP2) TYPE(*CHAR) LEN(10) /* sub function */ DCL VAR(&TFOBJ) TYPE(*CHAR) LEN(10) /* file name */ DCL VAR(&TFLIB) TYPE(*CHAR) LEN(10) /*library */ DCL VAR(&TFMBR) TYPE(*CHAR) LEN(10) /* member */ DCL VAR(&TFFMT) TYPE(*CHAR) LEN(10) /* format */ DCL VAR(&TYPE) TYPE(*CHAR) LEN(2) /* journal type */ MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(EXIT)) CHGVAR VAR(&RC) VALUE('1') /* set return code to + allow request unless rejected by program */ CHGVAR VAR(&USER) VALUE(%SST(&STRU 1 10)) /* get + user */ CHGVAR VAR(&APP2) VALUE(%SST(&STRU 21 10)) /* get + function */ CHGVAR VAR(&TFOBJ) VALUE(%SST(&STRU 31 10)) /* get + file */ CHGVAR VAR(&TFLIB) VALUE(%SST(&STRU 41 10)) /* get + library */ CHGVAR VAR(&TFMBR) VALUE(%SST(&STRU 51 10)) /* get + member */ CHGVAR VAR(&TFFMT) VALUE(%SST(&STRU 61 10)) /* get + format */


52

/*******************************************//* Prevent file upload from PC users *//* except in the UP_LIB library *//* prevent download to PC *//* except in the DOWN_LIB library *//*******************************************/IF COND(&APP2 *EQ 'REPLACE') THEN(DO) IF COND(&TFLIB *NE 'UP_LIB ') THEN( +

CHGVAR &RC) '0') /*prevent request*/ENDDOIF COND(&APP2 *EQ 'SELECT') THEN(DO) IF COND(&TFLIB *NE ’DOWN_LIB ') THEN( +

CHGVAR &RC) '0') /*prevent request*/ ENDDO

/*******************************************//* Log request in the audit journal *//*******************************************/LOG: CHGVAR VAR(&TYPE) VALUE('X' *CAT &RC) SNDJRNE JRN(QAUDJRN) TYPE(&TYPE)+ ENTDTA(&STRU)

Exit:ENDPGM


Good Way to Monitor Use

53

/*===============================================================*//* To compile: *//* *//* CRTCLPGM PGM(XXX/EXIT2) SRCFILE(XXX/QCLSRC) + *//* USRPRF(*OWNER) *//* *//* installation instructions: *//* 1. Compile program *//* *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* *//* CHGOBJOWN OBJ(XXX/EXIT2) OBJTYPE(*PGM) + *//* NEWOWN(QSECOFR) *//* *//* 3. Name the exit program in registration facility *//* *//* ADDEXITPGM EXITPNT(QIBM_QZDA_NBR1 ) + *//* FORMAT(ZDAD0100) PGMNBR(1)+ *//* PGM(XXX/EXIT2) REPLACE(*NO) + *//* text('limit to specific libraries') *//* *//* The request is recorded in the audit journal *//* The audit journal QAUDJRN entries created are: *//* 'Z1' = requests that are allowed *//* 'Z0' = requests that are rejected *//*==============================================================*/PGM PARM(&RC &REQUEST) DCL VAR(&RC) TYPE(*CHAR) LEN(1) /* 1=allow 0=prevent*/ DCL VAR(&REQUEST) TYPE(*CHAR) LEN(700) /*request desc */ DCL VAR(&TYPE) TYPE(*CHAR) LEN(2) /*journal entry type */

EXIT2 - Windows 95/NT File Transfer Exit 1 of 3

54

DCL var(&x1800) type(*char) len(4) + value(x'00001800') /* create database file*/DCL var(&x1801) type(*char) len(4) + value(x'00001801') /* create source file*/DCL var(&x1802) type(*char) len(4) + value(x'00001802') /* add member */DCL var(&x1803) type(*char) len(4) + value(x'00001803') /* clear member */DCL var(&x1804) type(*char) len(4) + value(x'00001804') /* delete member */DCL var(&x1805) type(*char) len(4) + value(x'00001805') /* file override */DCL var(&x1806) type(*char) len(4) + value(x'00001806') /* delete file override*/DCL var(&x1807) type(*char) len(4) + value(x'00001807') /* create save file */DCL var(&x1808) type(*char) len(4) + value(x'00001808') /* clear save file */DCL var(&x1809) type(*char) len(4) + value(x'00001809') /* delete file */ /* OPTIMIZED DATABASE SERVER DECLARES */DCL VAR(&DBFMT) TYPE(*CHAR) LEN(8) /* format name */DCL VAR(&DBFID) TYPE(*CHAR) LEN(4) /* function identifier */ /* THE FOLLOWING PARAMETERS ADDITIONAL FOR FORMAT ZDAD0100 */DCL VAR(&DBFILE) TYPE(*CHAR) LEN(128)/* file name */DCL VAR(&DBLIB) TYPE(*CHAR) LEN(10) /* library name */DCL VAR(&DBMBR) TYPE(*CHAR) LEN(10) /* member name */DCL VAR(&DBAUT) TYPE(*CHAR) LEN(10) /* authority to file */DCL VAR(&DBBFIL) TYPE(*CHAR) LEN(128) /* based on file name */DCL VAR(&DBBLIB) TYPE(*CHAR) LEN(10) /* based on library name */DCL VAR(&DBOFIL) TYPE(*CHAR) LEN(10) /* override file name */DCL VAR(&DBOLIB) TYPE(*CHAR) LEN(10) /* override library name */DCL VAR(&DBOMBR) TYPE(*CHAR) LEN(10) /* override member name */

2 of 3EXIT2 - Windows 95/NT File Transfer Exit

55

MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(EXIT))* allow request unless rejected by program */CHGVAR VAR(&RC) VALUE('1') /* set variables from request description */CHGVAR VAR(&DBFMT) VALUE(%SST(&REQUEST 21 8))CHGVAR VAR(&DBFID) VALUE(%SST(&REQUEST 29 4))CHGVAR VAR(&DBFILE) VALUE(%SST(&REQUEST 33 128))CHGVAR VAR(&DBLIB) VALUE(%SST(&REQUEST 161 10))CHGVAR VAR(&DBMBR) VALUE(%SST(&REQUEST 171 10))CHGVAR VAR(&DBOFIL) VALUE(%SST(&REQUEST 329 10))CHGVAR VAR(&DBOLIB) VALUE(%SST(&REQUEST 339 10))CHGVAR VAR(&DBOMBR) VALUE(%SST(&REQUEST 349 10))IF COND((&DBFID = &X1805)) THEN(DO) /* OVERRIDE */ IF COND(&DBOLIB = 'UP_LIB') THEN(GOTO LOG) IF COND(&DBOLIB = 'DOWN_LIB') THEN(GOTO LOG) CHGVAR VAR(&RC) VALUE('0')ENDDO/* log request in the audit journal */LOG: CHGVAR VAR(&TYPE) VALUE('Z' *CAT &RC) SNDJRNE JRN(QAUDJRN) TYPE(&TYPE) ENTDTA(&REQUEST)EXIT:ENDPGM

3 of 3EXIT2 - Windows 95/NT File Transfer Exit

56

Allowing Specific Users Access

Could check the name of the user in exit program

IF &USER = ’User 1 ') GOTO LOGIF &USER = ’User 2 ') GOTO LOG

Good performance on exit program +To change users requires program to be modified-

- Security specification uses a different technique

57


Could check the name of the user in the exit program

Exit Program Read

More flexible change users +Potential performance concern if used frequently-

- Additional file open each job with exit

- Security specification uses a different technique

58


Could check the authorization list for user access

More flexible change users +

Exit Program CHKOBJ

Authorization List

Minimal performance overhead+Does not require file open+Uses standard security interfaces+

59

Check an Authorization List

IF COND(………………. ) THEN(DO)

CHKOBJ OBJ(QSYS/FILEREAD) + OBJTYPE(*AUTL) AUT(*USE)

MONMSG MSGID(CPF9800) + EXEC(CHGVAR &RC '0')

GOTO LOG

ENDDO

Exit Program CHKOBJ

Authorization List

Possible to check for different authorities *USE for Read actions *CHANGE for Update actions

60

Exit Program CHKOBJ

Authorization List

Check an Authorization List

See end of handout for an example program using authorization lists

61

DB Security OutlineLogical Files Column Level Security DB Exit Programs Overview Sample Exit Programs


FTP

62

FTP Server Exit ProgramsFTP server logon exit program

Permit or deny users to log on based on:User IDPasswordClient IP address

Establish an anonymous FTP server

FTP request validation exit program Permit or deny FTP operation based on

User profileRemote IP address of FTP client or serverDirectory, library, files (path names)CL commands

63

PARAMETERS

OS/400 FTP Server User Exit

Program

Exit Program Flow

4

1

❶ TCP/IP calls exit passing parameters

2

❷ Exit program processes parameters

3

❸ Exit program sets return code❹ TCP/IP application performs operation

based on exit program response

64

TCP/IP Application Request Validation Exit Point Interface

Application identifier Input Binary(4) 0 FTP client program 1 FTP server program Operation identifier Input Binary(4) 0 Session initialization 1 Directory/library create 2 Directory/library deletion 3 Set current directory 4 List files 5 File deletion 6 Sending file 7 Receiving file 8 Renaming file 9 Execute CL commandUser profile Input Char(10) Remote IP address Input Char(*) Length of remote IP address Input Binary(4) Operation-specific information Input Char(*) Length of operation-specific information Input Binary(4) Return Code Output Binary(4) -1 Never allow this operation identifier 0 Reject the operation 1 Allow the operation 2 Always allow this operation identifier

Parameters User Exit Program

FTP Server

65

FTP Logon Interface

Application identifier Input Binary(4) 1 FTP server programUser identifier Input Char(*) Length of user identifier Input Binary(4)Authentication string Input Char(*) Length of authentication string Input Binary(4)Client IP address Input Char(*) Length of client IP address Input Binary(4)Return code Output Binary(4) 0 Reject the logon operation. 1 Continue the logon operation 2 Continue the logon operation with the specified user identifier and authentication string, and override the initial current library with exit program values 3 Continue the logon operation. Override the user profile and password with exit program values User profile Output Char(10) Password Output Char(10) Initial current library Output Char(10)

Parameters User Exit Program

FTP Logon

66

FTP Server Request Validation

/**********************************************************************//*Sample FTP server request validation exit program for anonymous FTP *//*Notes: *//*1.When the application id is 1 (ftp server) and the operation id is *// 0 (session initialization), the job is running under the QTCP *//* User profile when the exit program is called. In all other cases, *//* The job is running under the user's profile. *//*2. Create the exit program in a library with public authority *//* *Exclude. The exit program itself be given a *EXCLUDE public *//* The FTP server adopts the authority necessary to call the exit *//*3. It is possible to use the same exit program for both the ftp *//* Client And server request validation exit points. *//**********************************************************************/Tstreqcl: pgm parm(&appidin &opidin &usrprf &ipaddrin + &Iplenin &opinfoin &oplenin &allowop)

1of 4

Example from TCP/IP Configuration and Reference SC41-5420

67

/* Declare input parameters */ DCL &APPIDIN *CHAR LEN(4) /* Application ID */ DCL &OPIDIN *CHAR LEN(4) /* Operation ID */ DCL &USRPRF *CHAR LEN(10) /* User profile */ DCL &IPADDRIN *CHAR /* Remote IP address */ DCL &IPLENIN *CHAR LEN(4) /* Length of IP address */ DCL &OPLENIN *CHAR LEN(4) /* Length of operation-spec info*/ DCL &OPINFOIN *CHAR LEN(9999) /*Operation-specific info */ DCL &ALLOWOP *CHAR LEN(4) /* allow (output) *//* Declare local copies of parameters (in format usable by CL) */ DCL &APPID TYPE(*DEC) LEN(1 0) DCL &OPID TYPE(*DEC) LEN(1 0) DCL &IPLEN TYPE(*DEC) LEN(5 0) DCL &IPADDR *CHAR DCL &OPLEN) TYPE(*DEC) LEN(5 0) DCL &OPINFO *CHAR LEN(9999) DCL &PATHNAME *CHAR LEN(9999) /* Uppercase path name */ /* Declare values for allow(1) and no allow(0) */ DCL &ALLOW TYPE(*DEC) LEN(1 0) VALUE(1) DCL &NOALLOW TYPE(*DEC) LEN(1 0) VALUE(0) /* Declare request control block for QLGCNVCS (convert case) API*/ /* convert to uppercase based on job CCSID */ DCL &CASEREQ *CHAR LEN(22) + VALUE(X'00000001000000000000000000000000000000000000') DCL &ERROR *CHAR LEN(4) VALUE(X'00000000')

2of 4FTP Server Request Validation

68


/* Assign input parameters to local copies */ CHGVAR VAR(&APPID) VALUE(%BINARY(&APPIDIN)) CHGVAR VAR(&OPID) VALUE(%BINARY(&OPIDIN)) CHGVAR VAR(&IPLEN) VALUE(%BINARY(&IPLENIN)) CHGVAR VAR(&IPADDR) VALUE(%SUBSTRING(&IPADDRIN 1 &IPLEN)) CHGVAR VAR(&OPLEN) VALUE(%BINARY(&OPLENIN))/* Handle operation specific information field (which is var Len */ IF COND(&OPLEN = 0) THEN(CHGVAR VAR(&OPINFO) VALUE(' ')) ELSE CMD(CHGVAR VAR(&OPINFO) VALUE(%SST(&OPINFOIN 1 &OPLEN))) /* Operation ID 0 (incoming connection): reject if connection is *//* through interface 9.8.7.6, accept otherwise. *//* example.) This capability could be used to only allow incoming *//* connections from an internal network and reject them from the */ /* "real" Internet, if the connection to the Internet *//* NOTE: For FTP server, operation 0 is ALWAYS under QTCP profile */ IF COND(&OPID = 0) THEN(DO) IF COND(&OPINFO = '9.8.7.6') THEN(CHGVAR + VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) + VALUE(&ALLOW)) GOTO CMDLBL(END) ENDDO

3of 4

69


IF COND(&USRPRF = 'ANONYMOUS ') THEN(DO) /* Do not allow the following operations for ANONYMOUS user: */ IF &OPID = 2 | /*Directory/library deletion */ + &OPID = 5 | /* File deletion */ + &OPID = 7 | /* Receive file */ + &OPID = 8 | /* Rename file */ + &OPID = 9 /* Execute cmd */ + THEN(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(DO) IF COND(&OPID = 3 | /* Change directory */ + &OPID = 4 | /* List directory */ + &OPID = 6 ) DO /* Send file *//* Convert path name to uppercase (since names in "root” and *//* library file systems are not case sensitive */ CALL PGM(QLGCNVCS) PARM(&CASEREQ &OPINFO + &PATHNAME &OPLENIN &ERROR)/* Note: must check for "/public" directory by itself and *//* path names starting with "/public/". */ IF COND((%SUBSTRING(&PATHNAME 1 20) *NE + '/QSYS.LIB/PUBLIC.LIB') *AND + (&PATHNAME *NE '/PUBLIC') *AND + (%SUBSTRING(&PATHNAME 1 8) *NE '/PUBLIC/')) + THEN(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&ALLOW)) ENDDO ENDDO ENDDO /* Not ANONYMOUS user: allow everything */ ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&ALLOW)) END: ENDPGM

4of 4

70

Logon Exit Program for Anonymous FTP/********************************************************************//* Sample FTP server logon exit program. */ /* Note: This program is a sample only and has not undergone any *//* review or testing. *//* Additional notes: *//* 1. When the FTP server logon exit is called, the FTP server job *//* is running under the QTCP user profile. *//* 2. For the ANONYMOUS case, users can add logging capability (for *//* example, write the E-mail address entered for the password and*//* the client IP address to a log file). *//* 3. IBM recommends that you create the exit program in a library *//* with *PUBLIC authority of *EXCLUDE,and give the exit program *//* itself a *PUBLIC authority of *EXCLUDE. The FTP server adopts*//* authority when it is necessary call the exit program. *//********************************************************************/ TSTLOGCL:PGM PARM(&APPIDIN &USRIN &USRLENIN &AUTIN &AUTLENIN + &IPADDRIN &IPLENIN &RETCDOUT &USRPRFOUT &PASSWDOUT &CURLIBOUT)/* Declare input parameters */ DCL &APPIDIN *CHAR LEN(4) /* Application identifier */ DCL &USRIN *CHAR LEN(999)/* User ID */ DCL &USRLENIN *CHAR LEN(4) /* Length of user ID */ DCL &AUTIN *CHAR LEN(999)/* Authentication string */ DCL &AUTLENIN *CHAR LEN(4) /* Length of auth. string */ DCL &IPADDRIN *CHAR LEN(15) /* Client IP address */ DCL &IPLENIN *CHAR LEN(4) /* IP address length */ DCL &RETCDOUT *CHAR LEN(4) /* return code (out) */ DCL &USRPRFOUT *CHAR LEN(10) /* user profile (out) */ DCL &PASSWDOUT *CHAR LEN(10) /* password (out) */ DCL &CURLIBOUT *CHAR LEN(10) /* current library (out) */

1of 2

71

/* Declare local copies of parameters (in format usable by CL) */ DCL VAR(&APPID) TYPE(*DEC) LEN(1 0) DCL VAR(&USRLEN) TYPE(*DEC) LEN(5 0) DCL VAR(&AUTLEN) TYPE(*DEC) LEN(5 0) DCL VAR(&IPLEN) TYPE(*DEC) LEN(5 0) /* Assign input parameters to local copies */ CHGVAR VAR(&APPID) VALUE(%BINARY(&APPIDIN)) CHGVAR VAR(&USRLEN) VALUE(%BINARY(&USRLENIN)) CHGVAR VAR(&AUTLEN) VALUE(%BINARY(&AUTLENIN)) CHGVAR VAR(&IPLEN) VALUE(%BINARY(&IPLENIN)) CHGVAR VAR(%BINARY(&RETCDOUT)) VALUE(1))/* Check for ANONYMOUS user. Allow for ANONYMOUS,etc. as *//* regular user profile. */ IF COND(&USRLEN = 9) THEN(DO) IF COND(%SST(&USRIN 1 9) = 'ANONYMOUS') THEN(DO)/* For anonymous user:force user profile ANONYMOUS *//* current library to PUBLIC. */ CHGVAR VAR(%BINARY(&RETCDOUT)) VALUE(6) CHGVAR VAR(&USRPRFOUT) VALUE('ANONYMOUS ') CHGVAR VAR(&CURLIBOUT) VALUE('PUBLIC ') ENDDO ENDDO/* Any other user: proceed with normal logon processing. */ END: ENDPGM

2of 2

Example from TCP/IP Configuration and Reference SC41-5420

Logon Exit Program for Anonymous FTP

73

SUMMARY

Menu security is not adequate to limit a user.You must protect data

from access via the other Client Access servers:

• FILE TRANSFER• REMOTE COMMANDS• FOLDER ACCESS

Use exit programs to block use of remote commands

74

SUMMARY

Use Registration Facility to specify exit programs

Specifying exit program using network attributes is not recommended Increase overhead Network attributes a

limited set of exits

75

If you have additional questions or want more information please contact me

Wayne O. EvansPhone (520) 578-7785 [email protected]

www.WOEvans-security.com

mailto:[email protected]

http://www.WOEvans-security.com/

2010 db security

Business