|
Here is your IBM i security tip for September, 2008 from SkyView
Partners, Inc., World Class i5/OS and OS/400 Security Experts.
While many organizations are gaining control over the assignment of
special authorities, many others continue to allow users to have more
capabilities than are required to perform their job function.
So, are your special authorities out of control?
Managing Special Authorities
Why the fuss about special authorities? Skipping a discussion of
*ALLOBJ for the moment, special authorities provide the user with the
capability to perform some specialized function. If that capability
falls outside of their job's responsibilities, they shouldn't have the
special authority. Assigning users only the capabilities sufficient
to perform their job functions is a requirement of several laws and
regulations (including PCI Data Security Standards). In addition, it
makes good business sense that you don't give someone capabilities that
they don't need.
*ALLOBJ is slightly different. Users assigned *ALLOBJ special authority
can access all objects. Once you assign a user *ALLOBJ, they cannot
be prevented from accessing any object on the system. I heard the other
day of an administrator trying to restrict programmers' access to several
libraries. However, they had been assigned *ALLOBJ. Given in the way
i5/OS performs its authority checks, users with *ALLOBJ will always
have access to an object. Attempting to restrict their access was a
waste of time.
Why are special authorities out of control? Because most profiles are
not created from "scratch." Most profiles are created by copying
another profile. If the original profile has more special authorities
than necessary, after the profile is copied, the new profile will also
have those additional special authorities.
What are Special Authorities?
Here are the capabilities (special authorities) you can grant users
and the functions they provide:
| *AUDIT |
Configuration of i5/OS auditing attributes |
| *IOSYSCFG |
Communications configuration and management |
| *JOBCTL |
Management of any job on the system |
| *SAVSYS |
Ability to save and restore any object on the system
- or the entire system regardless of authority to the object |
| *SECADM |
Create/Change/Delete user profiles |
| *SERVICE |
Ability to use Service Tools, perform a service trace,
debug another user's job |
| *SPLCTL |
Access to every spooled file on the system regardless
of authority to the outq (the "*ALLOBJ" of spooled files) |
| *ALLOBJ |
Access to EVERY object on the system. It is not possible
to prevent an *ALLOBJ user from accessing an object!!! |
Taking Control of Special Authorities
The best way to rework the assignment of special authorities is
to first assign users to a role. Typical roles include system administrator,
operators, programmers, change control administrator, database administrators,
analysts, and end users. Next, list the tasks each role typically performs.
Finally, list the special authorities required by each task. This determines
what special authorities each role requires.
Carol's Tech Tip
How SkyView
Policy Minder Can Help
One of the jobs that many of our clients have is to keep track of which
profiles have *ALLOBJ (as well as the other special authorities.) Typically
this involves numerous steps to gather the current list of profiles
and then compare it to a list gathered at a previous time, as well as
check for differences. This manual process is very time consuming (and
generally quite boring!)
But, you can use SkyView Policy Minder to automate the discovery and
comparison and get rid of the manual process and visual comparison (which
are all susceptible to error, anyway.)
To detect when a user has been assigned a special authority and shouldn't,
there are two ways that Policy Minder can help. First define a template,
choosing to include all users of a particular user class (such as *SECOFR
or *USER) or a specific group and specify which special authorities
the users in the user class or group are to have. For example, you may
specify that all users in the *SYSOPR user class are to have *SAVSYS
and *JOBCTL special authorities. When you run a compliance check, the
special authorities assigned to the profiles belonging to the specified
user will be checked against the template (policy) you created. Any
profile's special authorities that don't match the policy will be flagged
as being out of compliance with the policy.
The second way that you can check special authorities with Policy Minder
is to create a slightly different user profile template. In this template
you include all users that have a specific special authority, for example
- *ALLOBJ. Then you specify *NO for the attribute "Allow new user
profile." The first time you run a compliance check, it establishes
the baseline of all users that currently have the special authority
(in our example, *ALLOBJ.) The next time you run a compliance check,
any profile that has been created with, changed to have or restored
with *ALLOBJ assigned will be flagged as "*NEW" and, therefore,
out of compliance. This method is especially helpful in keeping track
of the very powerful special authorities such as *ALLOBJ as well as
the special authorities auditors may way to limit, such as *AUDIT.
SkyView Partners Solutions
-
With Risk Assessor you get comprehensive, easy-to-understand,
easy-to-produce and unbiased diagnostic reports that quite frankly
no other product in the marketplace will produce.
-
With Policy Minder, you take the time out of managing and
fixing the implementation details of your security policy,
as well as taking the guesswork out of your security compliance
status.
About the author
Carol Woodbury spent 16 years with IBM in Rochester, MN. She served
for more than 10 years as the AS/400 Security Architect and Chief
Engineering Manager of Security Technology for IBM's Enterprise Server
Group. During this time Carol provided security architecture and design
consultations with IBM Business Partners and large AS/400 customers.
She is known worldwide as an author and speaker on security technology,
specializing in OS/400 and i5/OS security issues. Carol co-authored
the popular book, Experts'
Guide to OS/400 and i5/OS Security from 29th Street Press, has
written numerous articles on security and is a technical editor for
the IBM Systems Magazine. Carol is also a subject matter expert on
security for COMMON, security author for Experts Journal, contributing
author on security for System iNEWS and MC Press Online and the security
expert for search400.
|
