readtech.com - Article: Changing QCRTAUT
read technologies, inc.

SkyViewPolicy Minder for OS/400
 
Upcoming WEB Event

Topics include:

  • Cutting the Cost of Compliance
  • Saving you Time

Policy Minder for i5/OS & IBM i
Risk Assessor for i5/OS & OS/400
SkyView Security Check-Up
Halcyon
RSWeb
 
How to Buy

Article:

Changing QCRTAUT

SkyView Partners Security News

by Carol Woodbury
24 MAR 2008

 

In the ongoing process of securing your system, one thing you may choose to address is the default setting of the QCRTAUT system value. Below, I begin with discussing the purpose of the QCRTAUT system value and then get into the considerations you'll want to make before changing this value.

 

What is QCRTAUT?
QCRTAUT (Create authority) provides the *PUBLIC authority setting when most i5/OS objects are created. The next time you create a new file or data area, prompt (Press F4 on) the command and look for the Authority (AUT) parameter. For most create commands, the AUT parameter defaults to the value *LIBCRTAUT. What is *LIBCRTAUT? The library that the object is being created into has an attribute called Create Authority. *LIBCRTAUT means to set the *PUBLIC authority of the object being created to the value of the library's Create authority attribute. What is the library's Create authority attribute? The default is *SYSVAL, which means that it uses the value of the QCRTAUT system value. So when an object is created, its *PUBLIC authority defaults to *LIBCRTAUT which says to look at the library's Create authority which defaults to look at the QCRTAUT system value. Because value of QCRTAUT is shipped by IBM as *CHANGE, most objects on the system are created with *PUBLIC authority *CHANGE.

Considerations before Changing QCRTAUT
Now let's look at the considerations to make prior to changing QCRTAUT. First, it should go without saying that QCRTAUT should never be changed to *ALL. However, it is appropriate to consider changing it to *USE or *EXCLUDE. When I guide clients through the process of changing QCRTAUT, we start by getting a list of all of the libraries on the system and downloading it to a spreadsheet. You can use Policy Minder to do this by creating a *LIBAUT template that includes all libraries. (Don't bother creating an object template.) Run a compliance check on this template then run the Output Compliance (OUTCPL) command from the SKYVIEWPMP library specifying STATUS(*ALL). This will create a file in the /SkyView/Policy Minder directory which you can drag onto your desktop and open with Excel.

Once you have the spreadsheet, separate the libraries into four categories - IBM / IBM licensed product libraries, vendor product libraries, application libraries and user / developer libraries. The next step is to determine whether the libraries' Create authority attribute can remain at *SYSVAL or whether it needs to be overridden with a specific value.

You can typically leave the IBM libraries with their current settings. (You will see some with their Create authority attribute set to *SYSVAL and some overridden with a specific value such as *CHANGE.) For the vendor libraries, we consider whether or not objects are being created into the libraries or whether the objects (programs, commands, files, etc) are just being utilized. If it's the latter then we leave those library settings alone as well. If objects are being created into the libraries, then you have to consider whether the vendor product will continue to work correctly if the *PUBLIC authority of the newly created objects is set to *USE or *EXCLUDE. If it won't run correctly, then you can consider changing those libraries' Create authority value to *CHANGE.

For the application libraries, you must consider whether the application's security scheme will support newly created objects with a *PUBLIC authority of *USE or *EXCLUDE. If it won't, then you'll be forced into leaving those objects created with *PUBLIC *CHANGE. To continue to have the objects created with *PUBLIC *CHANGE, set the Create authority attribute of those libraries to *CHANGE. Personal or user libraries can typically be left at *SYSVAL because it is usually the individual user accessing the objects in his or her library and the *PUBLIC authority setting won't matter.


A little known fact is that you can specify an authorization list for a library's Create authority value. I have used this feature when reworking an application's security scheme and securing the application's files with an authorization list. It works especially well when the application files are in a separate library from the application programs. I specify the authorization list name for the library's Create authority value and, from then on, all objects created into the library will be secured with that authorization list.

Carol's Tech Tip

How SkyView Policy Minder can help.

SkyView Policy Minder is an i5/OS & OS/400 security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy. Policy Minder is about "enforcing" your securitypolicy.

When creating a Library authority template (*LIBAUT) in Policy Minder, you can specify the appropriate value for the library's Create authority attribute. Then, you can run regular compliance checks to ensure that this library attribute remains set correctly. In addition, you can run compliance checks on the System value (*SYSVAL) category to ensure that the QCRTAUT system value remains set to the appropriate value.

 

SkyView Partners Solutions

Carol Woodbury's
Risk Assessor for i5/OS & OS/400:
is an i5/OS & OS/400 security diagnostic tool that performs an automated risk analysis. Risk Assessor is about “judging” your security.
Video Introduction to SkyView Risk Assessor (3:23)

  • Customers say … “Risk Assessor automatically provides an independent, comprehensive security overview and has reduced our overall audit time and expense.”

 

Carol Woodbury's
Policy Minder for i5/OS & OS/400:
is an i5/OS & OS/400 security compliance tool that provides a mechanism for comparing your systems' current settings against the requirements of your established (or desired) security policy. Policy Minder is about “enforcing” your security policy.
Video Introduction to SkyView Policy Minder (4:22)

  • Customers say … “With Policy Minder we have automated our security compliance procedure, saving us time and making sure that our desired security configuration stays in place.”

About the author

Carol Woodbury spent 16 years with IBM in Rochester, MN. She served for more than 10 years as the AS/400 Security Architect and Chief Engineering Manager of Security Technology for IBM's Enterprise Server Group. During this time Carol provided security architecture and design consultations with IBM Business Partners and large AS/400 customers. She is known worldwide as an author and speaker on security technology, specializing in OS/400 and i5/OS security issues. Carol co-authored the popular book, Experts' Guide to OS/400 and i5/OS Security from 29th Street Press, has written numerous articles on security and is a technical editor for the IBM Systems Magazine. Carol is also a subject matter expert on security for COMMON, security author for Experts Journal, contributing author on security for System iNEWS and MC Press Online and the security expert for search400.

 

SPECIAL OFFERS
Easy Online Meetings – Anytime, Anywhere
Easy Online Meetings – Anytime, Anywhere
Read Less. Learn More.
Send Faxes. Receive Faxes. Anywhere You Can Email.
Never Go To the Post Office Again

 

 

Copyright © 2000 - 2008 Read Technologies, Inc. All rights reserved.