16-a as400 architecture & security - kuyperkuypers.nl · • ernst & young “technical...
TRANSCRIPT
1
Leen van Rij
kpmg IRM
vrije Universiteit amsterdam
31 March 2003
File 16-A AS400 architecture & security © 2003
PART 16-A
AS/400 ARCHITECTURE & SECURITY
AS/400 architecture & security 2
LvR/VU MAR/2003Contents
CONTENTS• History• Architecture• Application and Operating System/400
(AS/400 and OS/400)• Physical security levels• Logical security levels• Object management• Security implementation• Special security feature• Auditing• (Part X. Only for the AS/400 auditor)
NoteAS/400 = hardware OS/400 = operating system
2
AS/400 architecture & security 3
LvR/VU MAR/2003Contents ...
Contents Group structureLiterature Object header authority Highlights Object data authority History Object authority GroupingArchitecture Public authorizationCommunication support Private authorityMachine Interface AS/400 Authorization listDatabase System Authorization Check flowIntegrated File System Adopted securitySingle level storage Dedicated service toolsObject oriented Journaling Object types Security definition interface Physical security ONLY FOR THE AS/400 AUDITOR:Logical security levels Limited users Integrity checking Library security Special authorizations Physical versus logical file security User classes Authority holder Pre-defined user profiles Adopted securityUser profile JournalingGroup profile
AS/400 architecture & security 4
LvR/VU MAR/2003Optional literature
OPTIONAL LITERATURE
• IBM “AS/400 System Concepts”
• IBM “AS/400 Security Concepts & Planning”
• IBM “AS/400 Guide to enabling C2 security”
• IBM “Application System/400 Technology”
• Ernst & Young “A practical approach to logical access control” McGraw-Hill (1993) (see chapter “AS/400 access control”)
• Ernst & Young “Technical reference series: Audit, Control and Security of the IBM AS/400” (1994) (description, control objectives, audit questions)
• Fred de Koning e.a. “Beveiliging en controle in een AS/400-omgeving”Paardekooper & Hoffman (1995)
3
AS/400 architecture & security 5
LvR/VU MAR/2003Optional literature . . .
STRUCTURE OF: Ernst&
Young
AS/400Audit
Reference
• Overview• Hardware• Software• Logical access path• Utilities• Backup and Recovery• Objects• Libraries• Initial menus and programs
• System security» system keylock» system values» authorities» user and group profiles» authorization lists» etc.
• Procedural and administrative controls
• Control Concerns• Examples
AS/400 architecture & security 6
LvR/VU MAR/2003Security topology
Network security
Security in system/service
Security in application
Operating system
Computingcenter staff
Physicalsecurity of thecomputing center
End user
‘Frontdoor’
Trusted ComputingBase (TCB - certifiedusing US Departmentof Defense standards)
Measures depend upon securityobjectives and the enterprise’ssecurity strategy
TOPOLOGY OF SECURITY LAYERS
Note: The security measures in the network, services and applications may use the ‘Access Control’ in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.
Hardware
DATA
Access control
4
AS/400 architecture & security 7
LvR/VU MAR/2003Access path within AS/400 (MEY model)
OS/400 communication functionsOS/400 communication functions
User profilesUser profiles
Command processors
Command processors
Application softwareApplication software Tools & utilitiesTools & utilities
OS/400 data base management functionsOS/400 data base management functions
DATA
End users MIS personnel
Obj
ect s
ecur
ityO
bjec
t sec
urity
Initial menuInitial menu
AS/400 model, see Ernst & Young book
on logical access control
OS/
400
AS/400 architecture & security 8
LvR/VU MAR/2003Highlights
HIGHLIGHTS FOR THE EDP AUDITOR
1. Apropriate security levels active
2. Identification, Authentication (User and Group profiles)
3. Special Authorizations
4. Public and Specific Authorization (including Authorization list)
5. Dedicated Service Tools
6. Journaling
5
AS/400 architecture & security 9
LvR/VU MAR/2003History of AS/400
HISTORY OF APPLICATION SYSTEM/400 (AS/400)
System/34System/34
System/38System/38
1974
1978
1982
1987
1995AS/400-Y10
System/36System/36
Data Base includedin OS
PowerPC AS/400PowerPC AS/400
AS/400AS/400
AS/400 architecture & security 10
LvR/VU MAR/2003
BCUBCUBCUBCU
Architecture AS/400
Display
DASD
Communication
SystemprocessorSystem
processorMain
storageMain
storage
BCUBCU
IOBUIOBUIOBUIOBU IOBUIOBU
IOBUIOBU
BEU
BEU
BEU
BEU
Printer
DASD = Direct Access Storage Device (disks)BCU = Bus Control UnitIOBU = I/O Bus Unit (Communication Controller)BEU = Bus Extentsion Unit
6
AS/400 architecture & security 11
LvR/VU MAR/2003Architecture AS/400 ...
ARCHITECTURE
• Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture
• The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes
• The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture
AS/400 architecture & security 12
LvR/VU MAR/2003Communication protocols
PHYSICAL CONNECTION PROTOCOLSFor communication purposes AS/400 supports on the physical layer a
variety of data link and network protocolsA standard port is used for
• ECS (Electric Customer Support)Optional adapters supports the protocols
• ASYNC (ASYNChronous)• BSC (Binary Synchronous Communication)• SDLC (Synchronous Data Link Control)• X.21, X.25, X.31, V.24, V.35 and V.36• ISDN (Integrated Services Digital Network)• Twinaxial Data Link Control• Ethernet• Token-ring• FDDI (Fiber Distributed Data Interface)• Wireless LAN• Fax (V.34)
Logical connection
Physical
connection
Terminal / Application = End user
Transaction Services
Presentation Services
Data Flow Control
Transmission Control
Path Control
Data Link Control
Physical Control
7
AS/400 architecture & security 13
LvR/VU MAR/2003Communication protocols ...
NETWORK PROTOCOLSTo manage network access AS/400 supports the most common available
network protocols.
• Asynchronous• Binary Synchronous Communications (BSC)• System Network Architecture (SNA)• Advanced Peer-to-Peer Network (APPN)• Transmission Control Protocol/Internet Protocol
(TCP/IP)• Open Systems Interconnection (OSI)• Multiprotocol Transport Networking (MPTN)
Logical connection
Physical
connection
Terminal / Application = End user
Transaction Services
Presentation Services
Data Flow Control
Transmission Control
Path Control
Data Link Control
Physical Control
AS/400 architecture & security 14
LvR/VU MAR/2003Communication protocols ...
APPLICATION COMMUNICATION PROTOCOLSTo enable applications using communication AS/400 supports call
interfaces like • Advanced Program-to-Program Communications (APPC)• SNA Distribution Services (SNADS)• Distributed Remote Data Access• Open Systems Interconnection (OSI)• Object Distribution Facility (ODF)• Client Access/400• Transmission Control Protocol (TCP)• File Transfer Protocol (FTP)• Simple Mail Transfer Protocol (SMTP)• Simple Network Management Protocol (SNMP)• User Datagram Protocol (UDP)• Line Printer Requester/Line Printer Daemon Protocol• TELNET
Terminal / Application = End user
Transaction Services
Presentation Services
Data Flow Control
Transmission Control
Path Control
Data Link Control
Physical ControlPhysical
connection
8
AS/400 architecture & security 15
LvR/VU MAR/2003Machine interface AS/400
MACHINE INTERFACE AS/400
Hardware
Compilers
Utilities
Applica-tions
Vertical Micro Code
Horizontal Micro Code
Operating System/400 (OS/400)
Hig
h-le
vel m
achi
ne
AS/400 architecture & security 16
LvR/VU MAR/2003Machine interface AS/400 ...
MACHINE INTERFACE AS/400
• The AS/400 is a layered architecture machine
• To use the hardware only high-level machine instructions are available
• The high level machine instructions are understood by the VERTICAL MICROCODE layer and translated to basic machine instructions
• The basic machine instructions are implemented by the HORIZONTALMICROCODE layer and transfered to the hardware
• The hardware layer executes the instruction
• The Vertical and Horizontal Micro Code layer together with the hardware is called the HIGH-LEVEL MACHINE
• With the PowerPC architecture there is only one layer of microcode to implement the machine interface.
9
AS/400 architecture & security 17
LvR/VU MAR/2003Machine interface AS/400 ...
TRADITIONAL OPERATING SYSTEM
Task managementResource managementStorage managementDatabase managementSecurity managementetc.
TRADITIONAL OPERATING SYSTEM
Task managementResource managementStorage managementDatabase managementSecurity managementetc.
OPERATING SYSTEM/400(OS/400)
The three machine layers, called the high-level machine, also provide many functionsnormally implemented in the Operating System
TRADITIONAL HARDWARE
Machine interfaceHardware
TRADITIONAL HARDWARE
Machine interfaceHardware
AS/400 HARDWARE(Machine interface )Task managementResource managementStorage managementData accessDatabase managementSecurity managementetc.
Hardware
Note: Implementing functions in micro code benefits the system’s performance
AS/400 architecture & security 18
LvR/VU MAR/2003Database system
INTEGRATED DATABASE SYSTEMAS/400 has an integrated Database management system. It is a BASE
feature of the AS/400• Within AS/400 Database access is only allowed by ONE Application
Programming Interface (API).• Access security will be done by this interface and there is no redundant
access control mechanisme available. There is only one focal point for access control
• The Database is designed on two concepts– The physical files, containing the data– The logical files gives the posibility to define an alternate view to the
data records and fieldsThe user, when authorized, can access the data directly from thephysical file or through the logical file
• The AS/400 Database system is also used as a physical storage by the product Data Base 2 (DB2/400) which extend the Data Base features
10
AS/400 architecture & security 19
LvR/VU MAR/2003Database system ...
INTEGRATED DATABASE SYSTEM
The AS/400 system can be used as a Database server. To connect to the AS/400 Database, protocols from different vendors are supported. These protocols are
• Open Database Connect (ODBC) from Microsoft
• Data Access Language (DAL) from Appel
• System Query Language Connect (SQL CON) from Oracle
• Distributed Relational Database Architecture (DRDA) from IBM
System A System BAS/400
Database YDatabase X
AS/400 architecture & security 20
LvR/VU MAR/2003Integrated File System
INTEGRATED FILE SYSTEM (IFS)
To extend the use of the AS/400 system, file server architectures from different vendors can be handled by the integrated file system. The integrated file system supports a set of industry standard APIs to thestreamfile system and the hierarchical directory. The file access protocols which are supported by AS/400 are:
• Root file system: OS/2, DOS and Windows NT compatible• QOpenSys file system: Posix, XPG, UNIX compatible• QLANSrv file system: OS/2 Lan Manager compatible
AS/400
File system YFile system X
11
AS/400 architecture & security 21
LvR/VU MAR/2003Single level storage
2 G
B a
ddre
ss sp
ace
2 G
B a
ddre
ss sp
ace
2 G
B a
ddre
ss sp
ace
2 G
B a
ddre
ss sp
ace
2 G
B a
ddre
ss sp
ace
2 G
B a
ddre
ss sp
ace
Traditional mainframe with an address space per user and separate data sets on disks
DASD
264 bytes = 16.000.000Tera bytes address space
Object: programObject: program
Object: screenObject: screen
Object: “data”Object: “data”
OS/390
AS/400 - OS/400
AS/400: everything in one virtual address space
DIFFE
RENT
ARCHITECTURE
AS/400 architecture & security 22
LvR/VU MAR/2003Single level storage ...
SINGLE LEVEL STORAGEAS/400 provides single-level addressability of all virtual storage. This is transparent
addressing, making both MAIN an AUXILIARY storage appear contiguous to an end user and an application
pagi
ng
SYSTEMPROCESSOR
SYSTEMPROCESSOR
VAT = Virtual Address TranslationDIR = Directory used by VAT to keep track of virtual storage contentsNote: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD
AUXILIARY STORAGEon DASD
MAIN STORAGEMAIN STORAGE
DIRVAT
One virtual address space
12
AS/400 architecture & security 23
LvR/VU MAR/2003Single level storage ...
AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space
Program A123Program A123
Data 5RF Data 5RF
Command AB6Command AB6 Menu 567Menu 567 Menu 765Menu 765 Command UYCommand UY
QueueQueue
Program A143Program A143
Program XG63 Program XG63
Data GFHJData GFHJ
AS/400 VIRTUAL ADDRESS SPACE
Etc. etc. etc. till maximum spaceEtc. etc. etc. till maximum spaceobjects
AS/400 architecture & security 24
LvR/VU MAR/2003Object oriented
OBJECT ORIENTED DESIGN
Definition: Everything on the system that can be stored or retrieved is contained in an object
The high level machine is designed to treat everything the same through the use of a generic object structure
Object type OwnerPublic Authorithyetc.
Object type OwnerPublic Authorithyetc.
Data (e.g., data records, programs, sources, etc. )Data (e.g., data records, programs, sources, etc. )
OBJECT HEADER(Control Information)
General object structure
FUNCTIONAL OBJECT (data)
13
AS/400 architecture & security 25
LvR/VU MAR/2003Object types
OBJECT TYPES
To storage information in the AS400 system there are defined 73 different types of objects, e.g.
Type Contents• Library − object names (like a directory)• Data − data records (database records)• Program − executable programs • Source − source of programs like cobol, pascal, C etc.• User profile − userid descriptions and priviledges• Journal − logging records• Job queue − jobs to handle• Output queue − output from jobs• Device description − device parameters• Job description − job control language
AS/400 architecture & security 26
LvR/VU MAR/2003Object administration
OBJECT ADMINISTRATION
OBJECT X
OBJECT Y
OBJECT Z
OBJECT X
OBJECT Y
OBJECT Z
LIBRARY 1
OBJECT Y
MEMBER A
MEMBER B
MEMBER C
MEMBER A
MEMBER B
MEMBER C
OBJECT X
OBJECT K
OBJECT L
OBJECT M
OBJECT K
OBJECT L
OBJECT M
LIBRARY 2
QSYS
LIBRARY 1
LIBRARY 2
LIBRARY 3
DATABASE
START OBJECT SEARCH
14
AS/400 architecture & security 27
LvR/VU MAR/2003Physical security
Keylock Power down Remote or Main Attendedposition command timed IPL switch IPL IPL
SECURE YES NO NO NO
AUTO YES YES NO NO
NORMAL YES YES YES NO
MANUAL YES NO YES YES
Keylock Power down Remote or Main Attendedposition command timed IPL switch IPL IPL
SECURE YES NO NO NO
AUTO YES YES NO NO
NORMAL YES YES YES NO
MANUAL YES NO YES YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
Normal Manual
AutoSecure
KEYLOCK SWITCHOn front panel AS/400, with a physical key (to be stored safely)
AS/400 architecture & security 28
LvR/VU MAR/2003Logical security levels
LOGICAL SECURITY LEVELS
AS/400 is designed to activate different levels of security. The levels are controlled by setting the system parameter ∗QSECURITY(xx)
• 10 - no security
• 20 - userid and password checking
• 30 - object authorization verification
• 40 - application must use AS/400 call interface
• 50 - DoD C2 security
Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system
15
AS/400 architecture & security 29
LvR/VU MAR/2003Logical security levels ...
• 10 - No security level at all. A user-profile will be automaticaly be defined when a user signs on
• 20 - User-profile and password must be defined prior to sign on
• 30 - Like 20, but access to objects is also controlled (resource access control active). The user must have the appropriate access authority to use the resources.
• 40 - Like 30, but the machine interface cannot be used directly by the programs. It can only be used through the AS/400 call interface. All access is controlled/checked by AS/400. Journalling must be active so reports can be created
• 50 - Extend level 40 to meet DoD C2 classification. The users are only allowed to access their own objects through the AS/400 defined Application Programming Interface (API). Bypassing journalling of an object access is no longer possible
DESCRIPTION OF SECURITY LEVELS
AS/400 architecture & security 30
LvR/VU MAR/2003Integrity checking
INTEGRITY CHECKING
ISOLATION: AS/400 has system state and user state programs
Security level = 10, 20 and 30• user and system programs can freely interact with the high-level
machine
Security level = 40• the APIs (Application Program Interface) must be used by a user
program to interact with a system program
Security level = 50• the APIs must also be used by a user program to interact with another
user program
16
AS/400 architecture & security 31
LvR/VU MAR/2003Integrity checking ...
INTEGRITY CHECKING
System State Domain System State Domainno integrity
problem
User State Domain User State Domain
• integrity problem when not checked• API must be used with level 40
• intentionally no problem• no journalling of activities• level 50 enforces use of API in the user domain
integrity problem
AS/400 architecture & security 32
LvR/VU MAR/2003Special authorizations
SPECIAL AUTHORIZATIONSWithin the AS/400 system there are definitions with a system wide
authority scope. When a user is defined with a special authorization he/she is able to do
PRIVILEDGE AUTHORIZED TO DO• ∗ALLOBJ − access every system resource• ∗SECADM − create / change user profiles• ∗SAVSYS − save / restore • ∗JOBCTL − manipulate jobs on the system• ∗SPLCTL − all spool functions• ∗SERVICE − service functions• ∗AUDIT − audit related functions• ∗IOSYSCFG − change system configuration
17
AS/400 architecture & security 33
LvR/VU MAR/2003User classes
∗ALLOBJ
∗SECADM
∗SPLCTL∗IOSYSCFG∗SERVICE
∗JOBCTL
∗SAVSYS
USER CLASSES
∗SECOFR
∗SECADM∗SYSOPR
∗PGMR
AS/400 architecture & security 34
LvR/VU MAR/2003User classes . . .
USER CLASSESSpecial authorities can be grouped together. These grouping is called a
USERCLASS
class ∗SECOFR ∗SECADM ∗SYSOPR ∗PGMR ∗USERauthority
∗ALLOBJ ∗ 10/20 10/20 10/20 10/20 ∗SECADM ∗ ∗∗SAVSYS ∗ ∗ ∗ ∗ 10/20∗JOBCTL ∗ ∗ ∗ ∗∗SPLCTL ∗∗SERVICE ∗∗IOSYSCFG ∗
Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ∗ALLOBJ authority is assigned to this classes automaticly. The ∗refers to security level 30, 40 and 50
18
AS/400 architecture & security 35
LvR/VU MAR/2003Pre-defined user profiles
PRE-DEFINED USER PROFILES
When AS/400 is installed, there are 6 prefined user profiles available to access the system. They are to create other user profiles to access the system. The 6 default userids are
• QSECOFR• QPGMR• QSYSOPR• QSRV• QSRVBAS• QUSER
Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids
AS/400 architecture & security 36
LvR/VU MAR/2003
USER PROFILEWith security level 20 or higher, the user can only access the system if
there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be
• Userid • Password• User class • Password expiration• Group name (up to 16 groups) • Special authority• Initial program • Accounting code• Initial menu • Limited capability• Current library
( Note: This is only a partial content )
User profile
USER PROFILE (is an object)
19
AS/400 architecture & security 37
LvR/VU MAR/2003Authentication
AUTHENTICATIONSystem wide password syntax options• QPWDMINLEN minimum length of password• QPWDMAXLEN maximum length (up to 10 characters)• QPWDRQDDIF new password must differ from 32 previous• QPWDLMTCHR specify up to 10 characters not allowed for password• QPWDPOSDIF character in new must be different from character in same
position in old• QPWDLMTREP characters not be used more than once• QPWDLMTAJC numbers 0 to 9 not next to another• QPWDVLDPGM use password syntax checker• QPWDRQDDGT at least one numericOther system wide password options• QPWDEXPITV maximum number of days the password is valid• QMAXSIGN maximum number of unsuccessful sign-on attempts• QDSPSGNINF display date/time of last sign-on etc. after successful sign-on
AS/400 architecture & security 38
LvR/VU MAR/2003Group profile
GROUP PROFILEA group profile has the same structure as a user profile: it becomes a group
profile when it is named as a group in a user profile. The contents of the group profile may be
• Userid (is groupname) • Password (∗NONE)• User class (class for group) • Password expiration (not relevant)• Group (∗NONE) • Special authority (for group)• Initial program (not relevant) • Accounting code (not relevant)• Initial menu (not relevant) • Limited capability (not relevant) • Current library (not relevant)
( Note: This is only a partial contents )
GROUP PROFILE (is an object)
20
AS/400 architecture & security 39
LvR/VU MAR/2003Group structure
GROUP STRUCTURE
• The groups are independent definitions and do not have any relation to one another
• A user can be a member of maximum 16 groups
Group profileGROUP A
Group profileGROUP A
Group profileGROUP B
Group profileGROUP B
User profileUSER A1Group=A
User profileUSER A1Group=A
User profileUSER A2Group=A,B
User profileUSER A2Group=A,B
User profileUSER B1Group=B
User profileUSER B1Group=B
User profileUSER B2Group=B
User profileUSER B2Group=B
AS/400 architecture & security 40
LvR/VU MAR/2003Object header authority
OBJECT HEADER AUTHORITY
HEADERHEADERfunctional datafunctional data
AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information
This authority is specific for every user-object combination. The user may
AUTHORITY ACCESS RIGHTS to HEADER• ∗OBJOPR − use/look at the object information• ∗OBJMGT − grant other users to use the object• ∗OBJEXIST − totally control the object
!
21
AS/400 architecture & security 41
LvR/VU MAR/2003
OBJECT DATA AUTHORITY
Prior to access the contents of the object, the user must have at least ∗OBJOPRauthority to the object. If so, data access can be controlled with five different levels
AUTHORITY ACCESS RIGHTS to FUNCTIONAL DATA• ∗READ - Read the entries of the functional data • ∗ADD - Add entries to the functional data• ∗UPD - Update entries of the functional data• ∗DLT - Delete entries of the functional data• ∗EXECUTE - Only execute the related program
Object data authority
headerheader
FUNCTIONAL DATAFUNCTIONAL DATA
!
AS/400 architecture & security 42
LvR/VU MAR/2003Object authority
OBJECT AUTHORITY
∗OBJOPR ∗READPUBLIC authority
The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data.
START SEARCH
data
22
AS/400 architecture & security 43
LvR/VU MAR/2003Object authority grouping
∗OBJEXIST
∗UPD
∗DLT ∗OBJOPR
∗OBJMGT
∗READ
∗ADD
OBJECT AUTHORITY GROUPING
∗ALL
∗CHANGE ∗USE
AS/400 architecture & security 44
LvR/VU MAR/2003Object authority grouping . . .
OBJECT AUTHORITY GROUPINGObject header and functional data access authorities can be grouped to
system defined values, controlling the access to the object
Combination Object authority Data authority
∗USE ∗OBJOPR ∗READ
∗CHANGE ∗OBJOPR ∗READ, ∗ADD, ∗UPD, ∗DLT
∗ALL ∗OBJOPR ∗READ∗OBJMGT ∗ADD∗OBJEXIST ∗UPD, ∗DLT
∗EXCLUDE Access always denied∗LIBCRTAUT Access determined by the library where the object is
registered∗USER DEF Combination defined by the user
23
AS/400 architecture & security 45
LvR/VU MAR/2003Public authorization
PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation
Note: In this example all users have read access to this object (∗USE includes ∗OBJOPR and ∗READ)
OBJECT HEADERObject typeOwnerPUBLIC authority ∗USE
OBJECT HEADERObject typeOwnerPUBLIC authority ∗USE
FUNCTIONAL DATAFUNCTIONAL DATA
All Users
AS/400 architecture & security 46
LvR/VU MAR/2003Private authority
PRIVATE AUTHORITYWhen a specific user must have limited or higher access rights related to
the public authority, the user’s access is administrated in his/her user profile extension
headerheader
user informationuser information
list of owned objectslist of owned objects
LIST OF OBJECTS AUTHORIZEDTO ACCESS WITH THE AUTHORITY
OBJEXAMPLE ∗CHANGE
LIST OF OBJECTS AUTHORIZEDTO ACCESS WITH THE AUTHORITY
OBJEXAMPLE ∗CHANGE
Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header
USER PROFILE (is an object)
Single User
24
AS/400 architecture & security 47
LvR/VU MAR/2003Authorization list
AUTHORIZATION LIST
Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects
An object can be connected to this authorization list
The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted
When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list
AS/400 architecture & security 48
LvR/VU MAR/2003Authorization list ...
AUTHORIZATION LIST CONTENTSThe authorization list by itself is also an object. The list is treated as every
other object in the system
headerheader
ANJA ∗ALLEDWIN ∗CHANGERONALD ∗USELEEN ∗AUTLMGT∗PUBLIC ∗EXCLUDE
ANJA ∗ALLEDWIN ∗CHANGERONALD ∗USELEEN ∗AUTLMGT∗PUBLIC ∗EXCLUDE
AUTHORIZATION LIST (is an object)
The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called ∗AUTLMGT. This gives the user (or group) the ability to maintain this authorization list
Note: When the public authorization in the object specifies that the authority list will be used the entry ∗PUBLIC will give the public authorization
25
AS/400 architecture & security 49
LvR/VU MAR/2003Authorization list ...
AUTHORIZATION LIST CONNECTIONWhen an object is created or changed the authorization list can be specified.
The architecture gives the possibility to specify only ONE list per object
Note: In this example the public authority is now used from the authorization list entry ∗PUBLIC
Object typeOwnerAUTHORIZATION LIST ABCPublic authority ∗AUTL
Object typeOwnerAUTHORIZATION LIST ABCPublic authority ∗AUTL
Functional dataFunctional data
Authorization List ABC
ANJA ∗ALLEDWIN ∗CHANGERONALD ∗USELEEN ∗AUTLMGT∗PUBLIC ∗EXCLUDE
Object authorizations are defined in Authorization List ABC
AS/400 architecture & security 50
LvR/VU MAR/2003Authorization check flow
AUTHORIZATION CHECK FLOWAuthorization check flow sequence:1. Special authority of the user2. Specific authority of the user 3. User on authorization list4. Special authority of the group 5. Specific authority of the group6. Group on authorization list7. PUBLIC authority in object8. PUBLIC on authorization list
AS/400 looks whether the user has a Special authority. If no Special authority, the next step will be to look for a Specific authority defined etc. When any authorization definition for the object is found the search will stop
This mechanism is called exclusive access control and is the opposite of accumulated access control
26
AS/400 architecture & security 51
LvR/VU MAR/2003Adopted security
ADOPTED SECURITY• AS/400 security allows a user to adopt the access authorization of the
owner of a program• When a user is allowed to execute a program owned by another user, the
authority can be adopted• The user then has the same access authority to the objects as the owner
of it
DATA B23DATA B23not
allow
ed !
Via program BASof user B: allowed
User A User B
∗USE for BAS
∗EXCLUDE
AS/400 architecture & security 52
LvR/VU MAR/2003Adopted security ...
Owner user B Public authority ∗EXCLUDE
Owner user B Public authority ∗EXCLUDE
Owner user B Public authority ∗USE
Owner user B Public authority ∗USE
User A has• ∗EXCLUDE for data B23• ∗USE for program BAS
Note: In this example, user B has access authority of ∗ALL to the object with data B23. User A can only access it through the program BAS
ADOPTED SECURITY: an example
DATA B23DATA B23
PROGRAM BAS: Adopting authority active
PROGRAM BAS: Adopting authority active
27
AS/400 architecture & security 53
LvR/VU MAR/2003
DATA X24DATA X24
Adopted security: another example
ADOPTED SECURITY: another example
When a program allows adoption of the authority of the program owner, the program must be created with the command
CRTPGM PROG(B2S) USRPRF(∗OWNER)
When program adoption is active, the authority will be propagated by subsequently called programs
∗USE for B2S
User A User B User X
AS/400 architecture & security 54
LvR/VU MAR/2003Adopted security: another example ...
∗USE
Note: Adopted security is the only accumulated security within AS/400
ADOPTED SECURITY: another exampleUser A has• ∗USE for program B2S• ∗EXCLUDE for data X24
Owner user B Owner user B
PROGRAM B2S: call program X2UPROGRAM B2S: call program X2U
Owner user X Owner user X
PROGRAM X2UPROGRAM X2U DATA X24DATA X24
PROGRAM X2U has ALSO ∗USE authority to DATA X24
28
AS/400 architecture & security 55
LvR/VU MAR/2003Dedicated Service Tools
DEDICATED SERVICE TOOLSDedicated service tools are used to solve problems occuring in the licensed
internal code and to work with disk configurations. To use these tools the system must be attendedly IPLed with the key lock in position MANUAL. There are three levels of DST authorization
• SECURITYUsed by the security officer to do all DST functions and change the DSTpasswords
• FULLTo use all DST functions except DST passwords changes
• BASICTo use DST functions not affecting sensitive data
Note: The security officer must change the DST passwords after installing the system. With the CHGDSTPWD the DST passwords can be reset
AS/400 architecture & security 56
LvR/VU MAR/2003Journaling
The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types
AS/400SECURITY EVENT
AS/400SECURITY EVENT
Journal activatedwith system value
QAUDJRN (∗JRN)
Journal activatedwith system value
QAUDJRN (∗JRN)
Journal level activated with system values e.g.∗AUTFAIL ∗PGMFAIL
Journal level activated with system values e.g.∗AUTFAIL ∗PGMFAIL
Security officerJournal receiver
USERRECV
Security officerJournal receiver
USERRECV
JOURNALING
29
AS/400 architecture & security 57
LvR/VU MAR/2003Security definition interface
SECURITY DEFINITION INTERFACE
Menu interface (started with GO SECURITY)
Command interface
CRTUSRPRF Create user profileCHGUSRPRF Change user profileDLTUSRPRF Delete user profileDSPUSRPRF Display user profileCHGPWD Change passwordDSPAUTUSR Display authorized usersCHGPRF Change profile
(normal users)WRKUSRPRF Work with user profile
Define User Profile
User Profile ________Password ________Password Expired ________User Class ________Current library ________Initial Program ________Initial Menu ________
== > command
AS/400 architecture & security 58
LvR/VU MAR/2003ONLY FOR THE AS/400 AUDITOR
PART X
ADDITIONAL INFORMATION
ONLY FOR THE AS/400 AUDITOR
PART X
ADDITIONAL INFORMATION
ONLY FOR THE AS/400 AUDITOR
30
AS/400 architecture & security 59
LvR/VU MAR/2003Limited users
LIMITED USERS
Restrictions can be defined in the user profile, the so called limited capability (LMTCPB)
Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES
When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line
AS/400 architecture & security 60
LvR/VU MAR/2003Library security
LIBRARY SECURITY
To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least ∗USE access to the library to search for the objects described in it
Give the public authority for the objects in the library as high as necessary and the public authority for the library ∗EXCLUDE
Authority for the library must be given to individual users
31
AS/400 architecture & security 61
LvR/VU MAR/2003Library security ...
Owner user APublic authority ∗EXCLUDE
Owner user APublic authority ∗EXCLUDE
OBJECT A
OBJECT B
OBJECT Cetc.
OBJECT A
OBJECT B
OBJECT Cetc.
LIBRARY A
USER C USER B has ∗USE Public ∗USEPublic ∗USE
Public ∗USEPublic ∗USE
Public ∗USEPublic ∗USE
DATADATA
DATADATA
DATADATA
LIBRARY SECURITY
AS/400 architecture & security 62
LvR/VU MAR/2003Physical versus logical file security
PHYSICAL VERSUS LOGICAL FILE SECURITY
A physical file which contains the physical records can be accessed directly by the users or indirectly with a logical file definition. This logical file definition can give a different view to the physical data
The following physical file object P cannot be accessed directly because the user has no access to the header information
By given access to a logical file with certain view to the physical data, a user only has access to that part of the data
32
AS/400 architecture & security 63
LvR/VU MAR/2003Physical versus logical file security ...
OBJECT L1
Public authority ∗OBJOPRPublic authority ∗OBJOPR
Data Descr. Spec.
RECORDSFIELDS A EN BPHYSICAL FILE P
Data Descr. Spec.
RECORDSFIELDS A EN BPHYSICAL FILE P
OBJECT L2
Public authority ∗CHANGEPublic authority ∗CHANGE
Data Descr. Spec.
RECORDSFIELDS X EN YPHYSICAL FILE P
Data Descr. Spec.
RECORDSFIELDS X EN YPHYSICAL FILE P
Public authority ∗NONEPublic authority ∗NONE
Data Descr. Spec.
RECORDSFIELDS
Data Descr. Spec.
RECORDSFIELDS
DATADATA
PHYSICAL VERSUS LOGICAL FILE SECURITY
FILE P
AS/400 architecture & security 64
LvR/VU MAR/2003Authority holder
AUTHORITY HOLDERAS/400 gives the opportunity to setup an object authority before the creation
of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the object’s data part when the data is created
Public authority ∗USE
AUTHORITY HOLDER
DATA created in the future
Connected when DATA is created
Object header created in advance
33
AS/400 architecture & security 65
LvR/VU MAR/2003Adopted security
Owner user B Public authority ∗EXCLUDE
Owner user B Public authority ∗EXCLUDE
Owner user B Public authority ∗USE
Owner user B Public authority ∗USE
User A has• ∗EXCLUDE for data B23• ∗USE for program BAS
Note: In this example, user B has access authority of ∗ALL to the object with data B23. User A can only access it through the program BAS
ADOPTED SECURITY: an example
DATA B23DATA B23
PROGRAM BAS: Adopting authority active
PROGRAM BAS: Adopting authority active
AS/400 architecture & security 66
LvR/VU MAR/2003Adopted security: search sequence
The search for program A can be changed by the library sequence. When program B calls program A, program A will be found in Library B
If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach
Library B containing program A and program B
Library A containing program A
Library B containing program A and program B
Library A containing program ASEA
RC
H
Library A containing program A
Library B containing program A and program B
Library A containing program A
Library B containing program A and program BSEA
RC
H
ADOPTED SECURITY: SEARCH SEQUENCE
34
AS/400 architecture & security 67
LvR/VU MAR/2003Adopted security ...
ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call should supply the library name by using the ‘qualified name’ in the CALL command
CALL Lib (B)/PROGRAM(A)
Program A will only be used from lib B
Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A
With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow
AS/400 architecture & security 68
LvR/VU MAR/2003Journaling
JOURNALINGTo activate journaling the security officer must create the
QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary
The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions
The journal is created with the following commandsCRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(∗JRN)QAUDLVL(∗AUTFAIL ∗PGMFAIL)JRNRCV(USERRECV)
To set the level of journaling the system value QAUDLVL must be set. Possible values are
∗NONE, ∗AUTFAIL, ∗SAVRST, ∗DELETE, ∗SECURITY, ∗CREATE, ∗OBJMGT and ∗PGMFAIL