2010 db security
Post on 22-Dec-2014
565 Views
Preview:
DESCRIPTION
TRANSCRIPT
OS/400 SECURITY
Data Base Security
Presented byWayne O. Evans
2
OS/400 SecurityDISCLAIMER
The security recommendations and any programsource are offered "AS IS" for your consideration.Wayne O Evans Consulting makes no warrantiesor representations as to the quality of the examples.ALL WARRANTIES OF MERCHANTABILITY ANDFITNESS FOR A PARTICULAR PURPOSE, ARE SPECIFICALLY DISCLAIMED.
REPRODUCTIONPermission is granted to make
a limited number of copies ofthis material for non-commercial purposes provided this pageand the title page are includedwith all copiesiSeries, AS/400 and OS/400 are registered trademarks of the IBM Corporation.
Wayne O Evans5677 W Circle Z StTucson, AZ 85713Tel (520)-578-7785
WOEvans@aol.com
3
DB Security OutlineLogical Files Column Level Security DB Exit Programs
4
NAME SALARY DEPARTMENTELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance
Limited access
Protect Sensitive Data
Production files may contain sensitive and less sensitive data.
5
Hide Sensitive Fields
NAME DEPARTMENT
View orLogical File
NAME SALARY DEPARTMENTELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance
Table orPhysical File
Logical file with sensitive fields removed
6
Prevent Access to Physical File
NAME SALARY DEPARTMENT
ELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance
Table orPhysical File
*PUBLIC *READ *ADD *UPD*DLT
*OBJOPR authority is required to open a file. To prevent access to sensitive fields do not give users *OBJOPR to physical file
7
Allow Access to Logical File
*OBJOPR authority is required to open a file. To allow access to non-sensitive fields give users *OBJOPR to logical file
NAME DEPARTMENT
View orLogical File
*PUBLIC *OBJOPR *READ *ADD *UPD *DLT
8
Logical FilesLogical files use system security to
protect fieldsProtects all interfaces
May require several logical files when different fields are give to different groups of users.
9
DB Security OutlineLogical Files Column Level Security DB Exit Programs
10
NAME SALARY DEPARTMENTELLEN 50,000 AccountingNEIL 40,000 LegalTRACEY 20,000 ManagementTROY 45,000 Finance
Limited access
Column Level Security
Column level security provides a way to limit update and reference access
Read level access not supported yet
11
Column-Level SecurityCurrent Alternatives
Application Program Code limits accessPrograms prevent access to prevent access to data base objectsPROS: More flexible security checkingCONS: Not enforced on all interfaces
Extra programming required
12
Column-Level SecurityCurrent AlternativesLogical Files or SQL views
Files created “hide” sensitive columns PROS: System does workCONS: Not enforced on all interfaces
Overhead of creating logical file for each different view
13
Column-Level SecurityCurrent Alternatives
Stored procedures for ODBC accessStored procedures use adopted authority to gain access PROS: More flexible security checkingCONS: Not enforced on all interfaces
Extra programming required
14
Column Level Security
SQL statements GRANT and REVOKE define column level authorities
CL command DSPOBJAUT is used to display column level authorities
15
On the SQL entry screen enter
Column Level SecurityData base administrator enters
GRANT SELECT,UPDATE(name) ON TABLE myfile TO public
GRANT SELECT,UPDATE(name, department) ON TABLE myfile TO woepgmr
CREATE TABLE myfile (name CHAR(40), salary INTEGER, department CHAR(50))
STRSQL
16
DSPOBJAUT MYFILE *FILE
F16 - shows field level authorities
17
Field Authorities
18
Column Level SecurityColumn level authorities are stored with
the fileRestoring user profiles will not restore
column level authority
Column level authority is enforced on the update operation(Update is rejected only when the column being restricted is modified)
19
Objects Permissions
20
CLICK
RightClick
CLICK
21
22
23
Column Level Security V4R2
Point and click on checkboxto modify column security
24
DB Security OutlineLogical Files Column Level Security DB Exit Programs Overview Sample Exit Programs
iSeries Navigator (File Transfer and ODBC)
FTP
25
Many Ways to Transfer Data
DDM -Distributed Data Management FTP - File Transfer Protocol Client AccessFile transferODBC
26
Need to Limit Users Access
Users are authorized to data because of existing applications
Need exists to prevent the user from using their access outside of applications
EXIT PROGRAMS provide a way to screen user actions
27
Exit Programs
Registration Facility
Exit ProgramOverview
28
Identifying Exit Programs• Network attributes - DDMACC - PCSACC
The exit program supplements existing object security
Request1-okExit
PGMserver
0-No Perform the request
DDMACC or PCSACC
EXIT1
• Registration facility
WRKREGINF
Exit ProgramQIBM_... Pgm QIBM_... Pgm QIBM_... Pgm
29
Exit Programs SupplementObject Level Security
EXIT PROGRAMS
Prevent specific operations file transfer remote commands
Restrict access to specific libraries
Monitor Use Record activity for usage analysis
30
Exit Programs SupplementObject Level Security
EXIT PROGRAMS
Prevent specific operations file transfer remote commands
Restrict access to specific libraries
Monitor Use Record activity for usage analysis
31
Exit Program Flow
sends requestto AS/400
request
EXIT1
TARGET SYSTEM
TARGET1. SOURCE system
SOURCESYSTEM
3. User exit program looks at request and sets return code
1= accept request 0= reject request request
2. AS/400 calls exit program named in network attribute DDMACC or PSCACC or Registration Facility
DDMACC or
PCSACCEXIT1
WRKREGINF
Exit ProgramQIBM_... Pgm QIBM_. EXIT1 QIBM_... Pgm
32
Exit Programs
Registration Facility
Exit ProgramOverview
33
Network Attribute PCSACC
*OBJAUT
PGM-name
*REJECT
Object authorizations are checked for this client requestReject all server requests from clients
Exit program name called by all requests
Prior to V3R1Network Attribute values:
ALL REQUESTS
1-ok
serverExitPGM 0-No
• Every request invokes same exit program• Overhead of exit program for requests that are not restricted
34
EXIT PROGRAM
1-ok serverExitPGM 0-No
When network attribute names a program, all requests are handled
by the same exit
Shared FoldersFile TransferRemote CommandsAPI'sMessages RCV/SNDPrinter Support
REQUESTS
Performance overhead on all requests
PCSACCEXIT-PGM-Name
35
Network Attribute Use the system's registration facility to determine which exit program to run.
REQUESTS 1-ok serverExitPGM 0-No
REQUESTS 1-ok serverExitPGM 0-No
REQUESTS server
PCSACC*REGFAC
Multiple Exits Possible
No exit (overhead) for some servers
36
Do I need to use registration facility?Comparison
exit-pgm
serverAll REQUESTS ExitPGM
Overhead• All requests checked• More complex logic (larger program)
*REGFAC
serverREQUESTS
serverExitPGMREQUESTS
Overhead Reduced• Selected requests checked• Program logic simpler
RECOMMEND: Use registration facility ➤ Performance advantage ➤ Can check more request types
37
Work with Registration Information 5=Display exit point 8=Work with exit programs Exit Exit Point RegistOpt Point Format ered Text_ QIBM_QGW_NJEOUTBOUND NJEO0100 *YES Network Job Entry _ QIBM_QHQ_DTAQ DTAQ0100 *YES Original Data Queue_ QIBM_QLZP_LICENSE LICM0100 *YES Original License Mgmt _ QIBM_QMF_MESSAGE MESS0100 *YES Original Message_ QIBM_QNPS_ENTRY ENTR0100 *YES Network Print- entry_ QIBM_QNPS_SPLF SPLF0100 *YES Network Print- spool_ QIBM_QNS_CRADDACT ADDA0100 *YES Add CRQ description_ QIBM_QNS_CRCHGACT CHGA0100 *YES Change CRQ desc_ QIBM_QNS_CRDLTSBMCRQ DLTA0100 *YES Delete submitted CRQ_ QIBM_QNS_CRDSPACT DSPA0100 *YES Display CRQ desc_ QIBM_QNS_CREXCACT EXCA0100 *YES Run CRQ activity More... Command ===> ____________________________________________ F3=Exit F4=Prompt F9=Retrieve F12=Cancel
Work with Exit ProgramsWRKREGINF
• Exit program for specific function• Multiple programs can be defined
38
Work With Exit ProgramsExit Point: QIBM_QZRC_RMT Format:CZRC0100 Type Options, Press Enter.
1=add 4=remove 5=display 10=replace Exit Program Exit Opt Number Program Library __ __________ __________
Command==>________________________________F3=exit F4=prompt F5=refresh F9=retrieve
Work with Exit Programs• Exit program for specific function• Multiple programs can be defined
1 EXIT1 MYLIB
39
DB Security Outline
Logical Files Column Level Security DB Exit Programs Overview Sample Exit Programs
iSeries Navigator (File Transfer and ODBC)
FTP
40
Field Format SizeUser profile name Char 10Application name Char 10Function Char 10Object name Char 10Library name Char 10Object type Char 7Format name Char 10Variable data length Zoned 5, 0Variable data Char *
CALL EXIT (RTNCDE STRUCTURE)
'0' NO'1' OK
Exit Programs
Format detail is described in AS/400 Distributed Data Management SC41-5307 Client Access Server Concepts SC41-5740
41
Applic function / operationation*LMSR license management REQUEST RELEASE*VPRT virtual print EXTRACT CHECK OPEN*TFRFCL file transfer SELECT JOIN REPLACE EXTRACT AS/400 -> PC retrieve information SELECT AS/400 -> PC download file JOIN AS/400 -> PC download joined file REPLACE PC --> AS/400 UPLOAD file
Operation code by Function
42
Applic function / operationation*FLRSRV shared folders type 2 CHANGE CREATE DELETE EXTRACT MOVE OPEN RENAME*MSGFCL messages SEND RECEIVE*DDM distributed data management ADDMBR DELETE RENAME CHANGE EXTRACT RGZMBR CHGMBR INITIALIZE RMVMBR CLEAR LOAD RNMMBR COMMAND COPY MOVE LOCK CREATE OPEN UNLOAD
Operation code by Function
43
PGM PARM(&RTNCODE &DATA) DCL &DATA *CHAR 30 DCL &RTNCODE *CHAR 1 DCL &FUNC *CHAR 10 CHGVAR &FUNC (%SST(&DATA 21 10)) IF (&FUNC = 'COMMAND ') + THEN( CHGVAR &RTNCODE '0') ELSE CHGVAR &RTNCODE '1'ENDPGM
PREVENT REMOTE COMMANDS
2. Change network attributesCHGNETA DDMACC(STOPCMDS)
1. Create CL programCRTCLPGM STOPCMDS SRCFILE( )
44
Prevent Remote Commands and File Upload
/****************************************************//* Installation instructions *//* 1. Compile program *//* CRTCLPGM PGM(LIB/EXIT1) *//* SRCFILE( ) USRPRF(*OWNER) *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* CHGOBJOWN OBJ(LIB/EXIT1) *//* OBJTYPE(*PGM) NEWOWN(QSECOFR) *//* 3 Name the exit program in network attributes *//* CHGNETA DDMACC(LIB/EXIT1) *//* PCSACC(LIB/EXIT1) *//* *//* The audit journal QAUDJRN entries created are: *//* 'X1' = Requests that are allowed *//* 'X0' = Requests that are rejected *//****************************************************/PGM (&RC &STRU ) DCL &RC *CHAR 1 /*Return 1=allow */ /* 0=prevent*/ DCL &STRU *CHAR 200 /*Request description*/ DCL &USER *CHAR 10 /*User profile name */ DCL &APP1 *CHAR 10 /*Requested function */ DCL &APP2 *CHAR 10 /*Sub function */ DCL &TYPE *CHAR 2 /*Journal entry type */
1 of 2
45
MONMSG CPF0000 EXE(GOTO EXIT) /*If error exit*/ CHGVAR &RC '1' /*Allow request*/ CHGVAR &USER %SST(&STRU 1 10) /*Get user */ CHGVAR &APP1 %SST(&STRU 11 10) /*Get appl */ CHGVAR &APP2 %SST(&STRU 21 10) /*Get function/ /*Do not log IBM request to check license */ IF (&APP1 = '*LMSRV') GOTO EXIT IF &USER = 'XXXXXXXXX') GOTO LOG /* Prevent use of remote commands */ IF (&APP1 = '*DDM' *AND &APP2 = 'COMMAND') + CHGVAR &RC '0' /* Prevent the request */ ELSE /* Prevent file upload from PC users */ /* File download to PC is not prevented */ IF (&APP1 = '*TFRFCTL' *AND &APP2 = 'REPLACE') + CHGVAR &RC '0' /* Prevent the request */ /* Log request in the audit journal */LOG:CHGVAR &TYPE ( 'X' *CAT &RC) SNDJRNE QAUDJRN TYPE(&TYPE) &ENTDTA(&STRU)EXIT:ENDPGM
Prevent Remote Commands and File Upload
2 of 2
Good Way to Monitor Use
46
Exit1 = Original File TransferExit2 = Data Base Server
QIBM_QTF_TRANSFERQIBM_QZDA_NDB1
The Exit Will Depend Upon the Operating Client Operating System
File Transfer from following interfaces
DOSDOS extended
Windows 3.x
OS/2
OS/2 Optimized
Windows 95/NTOptimized
N/A
N/A
N/A
EXIT2
EXIT2
EXIT2
N/A
N/A
N/A
EXIT2
EXIT2
EXIT2
N/A
EXIT1
EXIT1
EXIT1
EXIT1
N/A
EXIT1
EXIT1
EXIT1
EXIT1
EXIT1
EXIT2
APIPC5250
Emulation ODBCRumbaEmulation
InteractiveInterface
GUI
EXIT1
EXIT1
EXIT1
EXIT1
EXIT1
EXIT1
OperatingSystem
47
Exit Program Usage
EXIT2EXIT1
Original File Transfer
Windows 95 and NT File Transfer
2. Limit all file transfer based upon library name Up load from UP_LIB Down load from DOWN_LIB
1. Two programs are required because parameters are different
3. Log requests in audit journal
Note: Not possible to determine the type of request for EXIT2. Allow transfer (UP and DOWN) in either library.
48
Installation Instructions
CRTCLPGM PGM(XXX/EXIT1) SRCFILE(XXX/QCLSRC) + USRPRF(*OWNER)CRTCLPGM PGM(XXX/EXIT2) SRCFILE(XXX/QCLSRC) + USRPRF(*OWNER)
1. Compile programs
CHGOBJOWN OBJ(XXX/EXIT1) OBJTYPE(*PGM) + NEWOWN(QSECOFR) CHGOBJOWN OBJ(XXX/EXIT2) OBJTYPE(*PGM) + NEWOWN(QSECOFR)
2. Change owner
Adopt owners authority to allow the programs to send to the audit journal
49
Installation Instructions
ADDEXITPGM EXITPNT(QIBM_QTF_TRANSFER) + FORMAT(TRAN0100) PGMNBR(1)+ PGM(XXX/EXIT1) + TEXT('Limit to specific Libraries')
ADDEXITPGM EXITPNT(QIBM_QZDA_NBR1 ) + FORMAT(ZDAD0100) PGMNBR(1)+ PGM(XXX/EXIT2) REPLACE(*NO) + TEXT('Limit to specific libraries')
3. Register the exit programs
CHGNETA PCSACC(*REGFAC)
4. Update the network attribute
50
/*==========================================================*//* To compile: *//* CRTCLPGM PGM(XXX/EXIT1) SRCFILE(XXX/QCLSRC) +*//* USRPRF(*OWNER) *//* installation instructions: *//* 1. Compile program *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* CHGOBJOWN OBJ(XXX/EXIT1) OBJTYPE(*PGM) + *//* NEWOWN(QSECOFR) *//* 3. Name the exit program in registration facility *//* ADDEXITPGM EXITPNT(QIBM_QTF_TRANSFER) + *//* FORMAT(TRAN0100) PGMNBR(1)+ *//* PGM(XXX/EXIT1) + *//* text('limit to specific libraries') *//* 4. Set registration facility in the network attribute *//* CHGNETA PCSACC(*REGFAC) *//* The request is recorded in the audit journal *//* The audit journal QAUDJRN entries created are: *//* 'X1' = requests that are allowed *//* 'X0' = requests that are rejected *//*==========================================================*/PGM PARM(&RC &STRU) DCL VAR(&RC) TYPE(*CHAR) LEN(1) /*1=allow 0=prevent*/ DCL VAR(&STRU) TYPE(*CHAR) LEN(80) /* request description */
EXIT1 - Original File Transfer Exit 1 of 3
51
DCL VAR(&USER) TYPE(*CHAR) LEN(10) /* user profile */ DCL VAR(&APP1) TYPE(*CHAR) LEN(10) /* function */ DCL VAR(&APP2) TYPE(*CHAR) LEN(10) /* sub function */ DCL VAR(&TFOBJ) TYPE(*CHAR) LEN(10) /* file name */ DCL VAR(&TFLIB) TYPE(*CHAR) LEN(10) /*library */ DCL VAR(&TFMBR) TYPE(*CHAR) LEN(10) /* member */ DCL VAR(&TFFMT) TYPE(*CHAR) LEN(10) /* format */ DCL VAR(&TYPE) TYPE(*CHAR) LEN(2) /* journal type */ MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(EXIT)) CHGVAR VAR(&RC) VALUE('1') /* set return code to + allow request unless rejected by program */ CHGVAR VAR(&USER) VALUE(%SST(&STRU 1 10)) /* get + user */ CHGVAR VAR(&APP2) VALUE(%SST(&STRU 21 10)) /* get + function */ CHGVAR VAR(&TFOBJ) VALUE(%SST(&STRU 31 10)) /* get + file */ CHGVAR VAR(&TFLIB) VALUE(%SST(&STRU 41 10)) /* get + library */ CHGVAR VAR(&TFMBR) VALUE(%SST(&STRU 51 10)) /* get + member */ CHGVAR VAR(&TFFMT) VALUE(%SST(&STRU 61 10)) /* get + format */
EXIT1 - Original File Transfer Exit 2 of 3
52
/*******************************************//* Prevent file upload from PC users *//* except in the UP_LIB library *//* prevent download to PC *//* except in the DOWN_LIB library *//*******************************************/IF COND(&APP2 *EQ 'REPLACE') THEN(DO) IF COND(&TFLIB *NE 'UP_LIB ') THEN( +
CHGVAR &RC) '0') /*prevent request*/ENDDOIF COND(&APP2 *EQ 'SELECT') THEN(DO) IF COND(&TFLIB *NE ’DOWN_LIB ') THEN( +
CHGVAR &RC) '0') /*prevent request*/ ENDDO
/*******************************************//* Log request in the audit journal *//*******************************************/LOG: CHGVAR VAR(&TYPE) VALUE('X' *CAT &RC) SNDJRNE JRN(QAUDJRN) TYPE(&TYPE)+ ENTDTA(&STRU)
Exit:ENDPGM
EXIT1 - Original File Transfer Exit 3 of 3
Good Way to Monitor Use
53
/*===============================================================*//* To compile: *//* *//* CRTCLPGM PGM(XXX/EXIT2) SRCFILE(XXX/QCLSRC) + *//* USRPRF(*OWNER) *//* *//* installation instructions: *//* 1. Compile program *//* *//* 2. Change owner of the program to user QSECOFR. *//* Adopted authority allows the program sending *//* to the audit journal *//* *//* CHGOBJOWN OBJ(XXX/EXIT2) OBJTYPE(*PGM) + *//* NEWOWN(QSECOFR) *//* *//* 3. Name the exit program in registration facility *//* *//* ADDEXITPGM EXITPNT(QIBM_QZDA_NBR1 ) + *//* FORMAT(ZDAD0100) PGMNBR(1)+ *//* PGM(XXX/EXIT2) REPLACE(*NO) + *//* text('limit to specific libraries') *//* *//* The request is recorded in the audit journal *//* The audit journal QAUDJRN entries created are: *//* 'Z1' = requests that are allowed *//* 'Z0' = requests that are rejected *//*==============================================================*/PGM PARM(&RC &REQUEST) DCL VAR(&RC) TYPE(*CHAR) LEN(1) /* 1=allow 0=prevent*/ DCL VAR(&REQUEST) TYPE(*CHAR) LEN(700) /*request desc */ DCL VAR(&TYPE) TYPE(*CHAR) LEN(2) /*journal entry type */
EXIT2 - Windows 95/NT File Transfer Exit 1 of 3
54
DCL var(&x1800) type(*char) len(4) + value(x'00001800') /* create database file*/DCL var(&x1801) type(*char) len(4) + value(x'00001801') /* create source file*/DCL var(&x1802) type(*char) len(4) + value(x'00001802') /* add member */DCL var(&x1803) type(*char) len(4) + value(x'00001803') /* clear member */DCL var(&x1804) type(*char) len(4) + value(x'00001804') /* delete member */DCL var(&x1805) type(*char) len(4) + value(x'00001805') /* file override */DCL var(&x1806) type(*char) len(4) + value(x'00001806') /* delete file override*/DCL var(&x1807) type(*char) len(4) + value(x'00001807') /* create save file */DCL var(&x1808) type(*char) len(4) + value(x'00001808') /* clear save file */DCL var(&x1809) type(*char) len(4) + value(x'00001809') /* delete file */ /* OPTIMIZED DATABASE SERVER DECLARES */DCL VAR(&DBFMT) TYPE(*CHAR) LEN(8) /* format name */DCL VAR(&DBFID) TYPE(*CHAR) LEN(4) /* function identifier */ /* THE FOLLOWING PARAMETERS ADDITIONAL FOR FORMAT ZDAD0100 */DCL VAR(&DBFILE) TYPE(*CHAR) LEN(128)/* file name */DCL VAR(&DBLIB) TYPE(*CHAR) LEN(10) /* library name */DCL VAR(&DBMBR) TYPE(*CHAR) LEN(10) /* member name */DCL VAR(&DBAUT) TYPE(*CHAR) LEN(10) /* authority to file */DCL VAR(&DBBFIL) TYPE(*CHAR) LEN(128) /* based on file name */DCL VAR(&DBBLIB) TYPE(*CHAR) LEN(10) /* based on library name */DCL VAR(&DBOFIL) TYPE(*CHAR) LEN(10) /* override file name */DCL VAR(&DBOLIB) TYPE(*CHAR) LEN(10) /* override library name */DCL VAR(&DBOMBR) TYPE(*CHAR) LEN(10) /* override member name */
2 of 3EXIT2 - Windows 95/NT File Transfer Exit
55
MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(EXIT))* allow request unless rejected by program */CHGVAR VAR(&RC) VALUE('1') /* set variables from request description */CHGVAR VAR(&DBFMT) VALUE(%SST(&REQUEST 21 8))CHGVAR VAR(&DBFID) VALUE(%SST(&REQUEST 29 4))CHGVAR VAR(&DBFILE) VALUE(%SST(&REQUEST 33 128))CHGVAR VAR(&DBLIB) VALUE(%SST(&REQUEST 161 10))CHGVAR VAR(&DBMBR) VALUE(%SST(&REQUEST 171 10))CHGVAR VAR(&DBOFIL) VALUE(%SST(&REQUEST 329 10))CHGVAR VAR(&DBOLIB) VALUE(%SST(&REQUEST 339 10))CHGVAR VAR(&DBOMBR) VALUE(%SST(&REQUEST 349 10))IF COND((&DBFID = &X1805)) THEN(DO) /* OVERRIDE */ IF COND(&DBOLIB = 'UP_LIB') THEN(GOTO LOG) IF COND(&DBOLIB = 'DOWN_LIB') THEN(GOTO LOG) CHGVAR VAR(&RC) VALUE('0')ENDDO/* log request in the audit journal */LOG: CHGVAR VAR(&TYPE) VALUE('Z' *CAT &RC) SNDJRNE JRN(QAUDJRN) TYPE(&TYPE) ENTDTA(&REQUEST)EXIT:ENDPGM
3 of 3EXIT2 - Windows 95/NT File Transfer Exit
56
Allowing Specific Users Access
Could check the name of the user in exit program
IF &USER = ’User 1 ') GOTO LOGIF &USER = ’User 2 ') GOTO LOG
Good performance on exit program +To change users requires program to be modified-
- Security specification uses a different technique
57
Allowing Specific Users Access
Could check the name of the user in the exit program
Exit Program Read
More flexible change users +Potential performance concern if used frequently-
- Additional file open each job with exit
- Security specification uses a different technique
58
Allowing Specific Users Access
Could check the authorization list for user access
More flexible change users +
Exit Program CHKOBJ
Authorization List
Minimal performance overhead+Does not require file open+Uses standard security interfaces+
59
Check an Authorization List
IF COND(………………. ) THEN(DO)
CHKOBJ OBJ(QSYS/FILEREAD) + OBJTYPE(*AUTL) AUT(*USE)
MONMSG MSGID(CPF9800) + EXEC(CHGVAR &RC '0')
GOTO LOG
ENDDO
Exit Program CHKOBJ
Authorization List
Possible to check for different authorities *USE for Read actions *CHANGE for Update actions
60
Exit Program CHKOBJ
Authorization List
Check an Authorization List
See end of handout for an example program using authorization lists
61
DB Security OutlineLogical Files Column Level Security DB Exit Programs Overview Sample Exit Programs
iSeries Navigator (File Transfer and ODBC)
FTP
62
FTP Server Exit ProgramsFTP server logon exit program
Permit or deny users to log on based on:User IDPasswordClient IP address
Establish an anonymous FTP server
FTP request validation exit program Permit or deny FTP operation based on
User profileRemote IP address of FTP client or serverDirectory, library, files (path names)CL commands
63
PARAMETERS
OS/400 FTP Server User Exit
Program
Exit Program Flow
4
1
❶ TCP/IP calls exit passing parameters
2
❷ Exit program processes parameters
3
❸ Exit program sets return code❹ TCP/IP application performs operation
based on exit program response
64
TCP/IP Application Request Validation Exit Point Interface
Application identifier Input Binary(4) 0 FTP client program 1 FTP server program Operation identifier Input Binary(4) 0 Session initialization 1 Directory/library create 2 Directory/library deletion 3 Set current directory 4 List files 5 File deletion 6 Sending file 7 Receiving file 8 Renaming file 9 Execute CL commandUser profile Input Char(10) Remote IP address Input Char(*) Length of remote IP address Input Binary(4) Operation-specific information Input Char(*) Length of operation-specific information Input Binary(4) Return Code Output Binary(4) -1 Never allow this operation identifier 0 Reject the operation 1 Allow the operation 2 Always allow this operation identifier
Parameters User Exit Program
FTP Server
65
FTP Logon Interface
Application identifier Input Binary(4) 1 FTP server programUser identifier Input Char(*) Length of user identifier Input Binary(4)Authentication string Input Char(*) Length of authentication string Input Binary(4)Client IP address Input Char(*) Length of client IP address Input Binary(4)Return code Output Binary(4) 0 Reject the logon operation. 1 Continue the logon operation 2 Continue the logon operation with the specified user identifier and authentication string, and override the initial current library with exit program values 3 Continue the logon operation. Override the user profile and password with exit program values User profile Output Char(10) Password Output Char(10) Initial current library Output Char(10)
Parameters User Exit Program
FTP Logon
66
FTP Server Request Validation
/**********************************************************************//*Sample FTP server request validation exit program for anonymous FTP *//*Notes: *//*1.When the application id is 1 (ftp server) and the operation id is *// 0 (session initialization), the job is running under the QTCP *//* User profile when the exit program is called. In all other cases, *//* The job is running under the user's profile. *//*2. Create the exit program in a library with public authority *//* *Exclude. The exit program itself be given a *EXCLUDE public *//* The FTP server adopts the authority necessary to call the exit *//*3. It is possible to use the same exit program for both the ftp *//* Client And server request validation exit points. *//**********************************************************************/Tstreqcl: pgm parm(&appidin &opidin &usrprf &ipaddrin + &Iplenin &opinfoin &oplenin &allowop)
1of 4
Example from TCP/IP Configuration and Reference SC41-5420
67
/* Declare input parameters */ DCL &APPIDIN *CHAR LEN(4) /* Application ID */ DCL &OPIDIN *CHAR LEN(4) /* Operation ID */ DCL &USRPRF *CHAR LEN(10) /* User profile */ DCL &IPADDRIN *CHAR /* Remote IP address */ DCL &IPLENIN *CHAR LEN(4) /* Length of IP address */ DCL &OPLENIN *CHAR LEN(4) /* Length of operation-spec info*/ DCL &OPINFOIN *CHAR LEN(9999) /*Operation-specific info */ DCL &ALLOWOP *CHAR LEN(4) /* allow (output) *//* Declare local copies of parameters (in format usable by CL) */ DCL &APPID TYPE(*DEC) LEN(1 0) DCL &OPID TYPE(*DEC) LEN(1 0) DCL &IPLEN TYPE(*DEC) LEN(5 0) DCL &IPADDR *CHAR DCL &OPLEN) TYPE(*DEC) LEN(5 0) DCL &OPINFO *CHAR LEN(9999) DCL &PATHNAME *CHAR LEN(9999) /* Uppercase path name */ /* Declare values for allow(1) and no allow(0) */ DCL &ALLOW TYPE(*DEC) LEN(1 0) VALUE(1) DCL &NOALLOW TYPE(*DEC) LEN(1 0) VALUE(0) /* Declare request control block for QLGCNVCS (convert case) API*/ /* convert to uppercase based on job CCSID */ DCL &CASEREQ *CHAR LEN(22) + VALUE(X'00000001000000000000000000000000000000000000') DCL &ERROR *CHAR LEN(4) VALUE(X'00000000')
2of 4FTP Server Request Validation
68
FTP Server Request Validation
/* Assign input parameters to local copies */ CHGVAR VAR(&APPID) VALUE(%BINARY(&APPIDIN)) CHGVAR VAR(&OPID) VALUE(%BINARY(&OPIDIN)) CHGVAR VAR(&IPLEN) VALUE(%BINARY(&IPLENIN)) CHGVAR VAR(&IPADDR) VALUE(%SUBSTRING(&IPADDRIN 1 &IPLEN)) CHGVAR VAR(&OPLEN) VALUE(%BINARY(&OPLENIN))/* Handle operation specific information field (which is var Len */ IF COND(&OPLEN = 0) THEN(CHGVAR VAR(&OPINFO) VALUE(' ')) ELSE CMD(CHGVAR VAR(&OPINFO) VALUE(%SST(&OPINFOIN 1 &OPLEN))) /* Operation ID 0 (incoming connection): reject if connection is *//* through interface 9.8.7.6, accept otherwise. *//* example.) This capability could be used to only allow incoming *//* connections from an internal network and reject them from the */ /* "real" Internet, if the connection to the Internet *//* NOTE: For FTP server, operation 0 is ALWAYS under QTCP profile */ IF COND(&OPID = 0) THEN(DO) IF COND(&OPINFO = '9.8.7.6') THEN(CHGVAR + VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) + VALUE(&ALLOW)) GOTO CMDLBL(END) ENDDO
3of 4
69
FTP Server Request Validation
IF COND(&USRPRF = 'ANONYMOUS ') THEN(DO) /* Do not allow the following operations for ANONYMOUS user: */ IF &OPID = 2 | /*Directory/library deletion */ + &OPID = 5 | /* File deletion */ + &OPID = 7 | /* Receive file */ + &OPID = 8 | /* Rename file */ + &OPID = 9 /* Execute cmd */ + THEN(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(DO) IF COND(&OPID = 3 | /* Change directory */ + &OPID = 4 | /* List directory */ + &OPID = 6 ) DO /* Send file *//* Convert path name to uppercase (since names in "root” and *//* library file systems are not case sensitive */ CALL PGM(QLGCNVCS) PARM(&CASEREQ &OPINFO + &PATHNAME &OPLENIN &ERROR)/* Note: must check for "/public" directory by itself and *//* path names starting with "/public/". */ IF COND((%SUBSTRING(&PATHNAME 1 20) *NE + '/QSYS.LIB/PUBLIC.LIB') *AND + (&PATHNAME *NE '/PUBLIC') *AND + (%SUBSTRING(&PATHNAME 1 8) *NE '/PUBLIC/')) + THEN(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&NOALLOW)) ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&ALLOW)) ENDDO ENDDO ENDDO /* Not ANONYMOUS user: allow everything */ ELSE CMD(CHGVAR VAR(%BINARY(&ALLOWOP)) VALUE(&ALLOW)) END: ENDPGM
4of 4
70
Logon Exit Program for Anonymous FTP/********************************************************************//* Sample FTP server logon exit program. */ /* Note: This program is a sample only and has not undergone any *//* review or testing. *//* Additional notes: *//* 1. When the FTP server logon exit is called, the FTP server job *//* is running under the QTCP user profile. *//* 2. For the ANONYMOUS case, users can add logging capability (for *//* example, write the E-mail address entered for the password and*//* the client IP address to a log file). *//* 3. IBM recommends that you create the exit program in a library *//* with *PUBLIC authority of *EXCLUDE,and give the exit program *//* itself a *PUBLIC authority of *EXCLUDE. The FTP server adopts*//* authority when it is necessary call the exit program. *//********************************************************************/ TSTLOGCL:PGM PARM(&APPIDIN &USRIN &USRLENIN &AUTIN &AUTLENIN + &IPADDRIN &IPLENIN &RETCDOUT &USRPRFOUT &PASSWDOUT &CURLIBOUT)/* Declare input parameters */ DCL &APPIDIN *CHAR LEN(4) /* Application identifier */ DCL &USRIN *CHAR LEN(999)/* User ID */ DCL &USRLENIN *CHAR LEN(4) /* Length of user ID */ DCL &AUTIN *CHAR LEN(999)/* Authentication string */ DCL &AUTLENIN *CHAR LEN(4) /* Length of auth. string */ DCL &IPADDRIN *CHAR LEN(15) /* Client IP address */ DCL &IPLENIN *CHAR LEN(4) /* IP address length */ DCL &RETCDOUT *CHAR LEN(4) /* return code (out) */ DCL &USRPRFOUT *CHAR LEN(10) /* user profile (out) */ DCL &PASSWDOUT *CHAR LEN(10) /* password (out) */ DCL &CURLIBOUT *CHAR LEN(10) /* current library (out) */
1of 2
71
/* Declare local copies of parameters (in format usable by CL) */ DCL VAR(&APPID) TYPE(*DEC) LEN(1 0) DCL VAR(&USRLEN) TYPE(*DEC) LEN(5 0) DCL VAR(&AUTLEN) TYPE(*DEC) LEN(5 0) DCL VAR(&IPLEN) TYPE(*DEC) LEN(5 0) /* Assign input parameters to local copies */ CHGVAR VAR(&APPID) VALUE(%BINARY(&APPIDIN)) CHGVAR VAR(&USRLEN) VALUE(%BINARY(&USRLENIN)) CHGVAR VAR(&AUTLEN) VALUE(%BINARY(&AUTLENIN)) CHGVAR VAR(&IPLEN) VALUE(%BINARY(&IPLENIN)) CHGVAR VAR(%BINARY(&RETCDOUT)) VALUE(1))/* Check for ANONYMOUS user. Allow for ANONYMOUS,etc. as *//* regular user profile. */ IF COND(&USRLEN = 9) THEN(DO) IF COND(%SST(&USRIN 1 9) = 'ANONYMOUS') THEN(DO)/* For anonymous user:force user profile ANONYMOUS *//* current library to PUBLIC. */ CHGVAR VAR(%BINARY(&RETCDOUT)) VALUE(6) CHGVAR VAR(&USRPRFOUT) VALUE('ANONYMOUS ') CHGVAR VAR(&CURLIBOUT) VALUE('PUBLIC ') ENDDO ENDDO/* Any other user: proceed with normal logon processing. */ END: ENDPGM
2of 2
Example from TCP/IP Configuration and Reference SC41-5420
Logon Exit Program for Anonymous FTP
73
SUMMARY
Menu security is not adequate to limit a user.You must protect data
from access via the other Client Access servers:
• FILE TRANSFER• REMOTE COMMANDS• FOLDER ACCESS
Use exit programs to block use of remote commands
74
SUMMARY
Use Registration Facility to specify exit programs
Specifying exit program using network attributes is not recommended Increase overhead Network attributes a
limited set of exits
75
If you have additional questions or want more information please contact me
Wayne O. EvansPhone (520) 578-7785 WOEvans@AOL.com
www.WOEvans-security.com
top related