2003
Contents
LvR/VU MAR/2003
CONTENTS
History Architecture Application and Operating System/400 (AS/400 and OS/400) Physical security levels Logical security levels Object management Security implementation Special security feature Auditing (Part X. Only for the AS/400 auditor) Note AS/400 = hardware OS/400 = operating system
AS/400 architecture & security 2
Contents ...
Contents Literature Highlights History Architecture Communication support Machine Interface AS/400 Database System Integrated File System Single level storage Object oriented Object types Physical security Logical security levels Integrity checking Special authorizations User classes Pre-defined user profiles User profile Group profile AS/400 architecture & security Group structure Object header authority Object data authority Object authority Grouping Public authorization Private authority Authorization list Authorization Check flow Adopted security Dedicated service tools Journaling Security definition interface ONLY FOR THE AS/400 AUDITOR: Limited users Library security Physical versus logical file security Authority holder Adopted security Journaling
LvR/VU MAR/2003
Optional literature
LvR/VU MAR/2003
OPTIONAL LITERATURE
IBM AS/400 System Concepts IBM AS/400 Security Concepts & Planning IBM AS/400 Guide to enabling C2 security IBM Application System/400 Technology Ernst & Young A practical approach to logical access control McGraw-Hill (1993) (see chapter AS/400 access control) Ernst & Young Technical reference series: Audit, Control and Security of the IBM AS/400 (1994) (description, control objectives, audit questions) Fred de Koning e.a. Beveiliging en controle in een AS/400-omgeving Paardekooper & Hoffman (1995)
AS/400 architecture & security 4
Optional literature . . .
LvR/VU MAR/2003
STRUCTURE OF:
Overview Hardware Software Logical access path Utilities Backup and Recovery Objects Libraries Initial menus and programs
System security
system keylock system values authorities user and group profiles authorization lists etc.
Security topology
TOPOLOGY OF SECURITY LAYERS
End user Network security Frontdoor Security in system/service Security in application Physical security of the computing center Computing center staff Access control Operating system Hardware
LvR/VU MAR/2003
Measures depend upon security objectives and the enterprises security strategy
DATA
Note: The security measures in the network, services and applications may use the Access Control in the TCB. Although this access control mechanism may have been classified in accordance with the US DoD standards, the actual security depends upon how the security facilities are used.
AS/400 architecture & security 6
Access path within AS/400 (MEY model) End users MIS personnel
LvR/VU MAR/2003
OS/400 communication functions OS/400 communication functions User profiles User profiles Initial menu Initial menu Application software Application software Command Command processors processors Tools & utilities Tools & utilities
AS/400 model, see Ernst & Young book on logical access control
OS/400 data base management functions OS/400 data base management functions
DATA
AS/400 architecture & security 7
OS/400
Highlights
LvR/VU MAR/2003
History of AS/400
LvR/VU MAR/2003
HISTORY OF APPLICATION SYSTEM/400 (AS/400) System/34 System/34 Data Base included in OS System/36 System/36 AS/400 AS/400 AS/400-Y10 PowerPC AS/400 PowerPC AS/400
AS/400 architecture & security
Architecture AS/400
LvR/VU MAR/2003
= Direct Access Storage Device (disks) = Bus Control Unit = I/O Bus Unit (Communication Controller) = Bus Extentsion Unit
10
LvR/VU MAR/2003
ARCHITECTURE
Untill 1995, the system processor was designed with the System/370 architecture which is also used in mainframes with the S/390 architecture The system processor had a 32 bit data path and a 48 bit addressing structure to address 281 Tera bytes The addressing architecture is designed to handle 64 bit addressing, which is fully implemented in the newer systems using the PowerPC architecture
11
Communication protocols
LvR/VU MAR/2003
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
12
LvR/VU MAR/2003
NETWORK PROTOCOLS
To manage network access AS/400 supports the most common available network protocols.
Logical connection Asynchronous Binary Synchronous Communications (BSC) System Network Architecture (SNA) Advanced Peer-to-Peer Network (APPN) Transmission Control Protocol/Internet Protocol (TCP/IP) Open Systems Interconnection (OSI) Multiprotocol Transport Networking (MPTN) Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
al Physic connec
AS/400 architecture & security
tion
13
LvR/VU MAR/2003
Terminal / Application = End user Transaction Services Presentation Services Data Flow Control Transmission Control Path Control Data Link Control Physical Control
LvR/VU MAR/2003
Compilers Utilities
LvR/VU MAR/2003
The three machine layers, called the high-level machine, also provide many functions normally implemented in the Operating System TRADITIONAL TRADITIONAL OPERATING SYSTEM OPERATING SYSTEM Task management Task management Resource management Resource management Storage management Storage management Database management Database management Security management Security management etc. etc. TRADITIONAL TRADITIONAL HARDWARE HARDWARE Machine interface Machine interface Hardware Hardware OPERATING SYSTEM/400 (OS/400) AS/400 HARDWARE (Machine interface ) Task management Resource management Storage management Data access Database management Security management etc. Hardware
Database system
LvR/VU MAR/2003
LvR/VU MAR/2003
System A
Database X
AS/400 architecture & security
System B
AS/400 Database Y
19
LvR/VU MAR/2003
File system Y
20
10
Single level storage Traditional mainframe with an address space per user and separate data sets on disks OS/390 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space 2 GB address space
LvR/VU MAR/2003
DI AR FFE CH RE IT NT EC TU RE
AS/400 - OS/400 264 bytes = 16.000.000 Tera bytes address space Object: program Object: program Object: screen Object: screen Object: data Object: data
DASD
LvR/VU MAR/2003
VAT = Virtual Address Translation DIR = Directory used by VAT to keep track of virtual storage contents Note: When data or instructions are needed for executing by the system processor it will be brought into main storage. When there is a shortage of main storage the data and/or instruction not needed anymore are transfered back to auxiliary storage on DASD
AS/400 architecture & security 22
11
LvR/VU MAR/2003
AS/400 single-level storage gives the ability to have data storage independent of device types. All data including programs, source, data, databases etc. are mapped into this single virtual address space
AS/400 VIRTUAL ADDRESS SPACE Program A123 Program A143 Program A123 Program A143 Data 5RF Data 5RF Command AB6 Command AB6 Queue Queue
AS/400 architecture & security
Menu 567 Menu 765 Command UY Menu 567 Menu 765 Command UY Etc. etc. etc. till maximum space Etc. etc. etc. till maximum space
23
cts je b
Object oriented
LvR/VU MAR/2003
Data (e.g., data records, programs, sources, etc. )) Data (e.g., data records, programs, sources, etc.
AS/400 architecture & security 24
12
Object types
LvR/VU MAR/2003
OBJECT TYPES
To storage information in the AS400 system there are defined 73 different types of objects, e.g.
Type
Library Data Program Source User profile Journal Job queue Output queue Device description Job description
Contents
object names (like a directory) data records (database records) executable programs source of programs like cobol, pascal, C etc. userid descriptions and priviledges logging records jobs to handle output from jobs device parameters job control language
25
Object administration
LvR/VU MAR/2003
OBJECT ADMINISTRATION
START OBJECT SEARCH LIBRARY 1
OBJECT X OBJECT X OBJECT Y OBJECT Y
QSYS
LIBRARY 1 LIBRARY 2 LIBRARY 3
OBJECT Z OBJECT Z
LIBRARY 2 DATABASE
OBJECT K OBJECT K OBJECT L OBJECT L OBJECT M OBJECT M
26
13
Physical security
LvR/VU MAR/2003
KEYLOCK SWITCH
On front panel AS/400, with a physical key (to be stored safely)
Normal
Manual
Secure
Keylock Keylock position position SECURE SECURE AUTO AUTO NORMAL NORMAL MANUAL MANUAL Power down Power down command command YES YES YES YES YES YES YES YES Remote or Remote or timed IPL timed IPL NO NO YES YES YES YES NO NO Main Main switch IPL switch IPL NO NO NO NO YES YES YES YES
Auto
Attended Attended IPL IPL NO NO NO NO NO NO YES YES
Note: In position MANUAL, attended IPL, special service tools are available (Dedicated Service Tools)
AS/400 architecture & security 27
LvR/VU MAR/2003
Note: to guarantee data integrity, at least the system parameter *QSECURITY(30) must be set by the Security administrator prior to user access to the system
AS/400 architecture & security 28
14
LvR/VU MAR/2003
Integrity checking
LvR/VU MAR/2003
INTEGRITY CHECKING ISOLATION: AS/400 has system state and user state programs
Security level = 10, 20 and 30 user and system programs can freely interact with the high-level machine Security level = 40 the APIs (Application Program Interface) must be used by a user program to interact with a system program Security level = 50 the APIs must also be used by a user program to interact with another user program
AS/400 architecture & security 30
15
LvR/VU MAR/2003
INTEGRITY CHECKING
System State Domain no integrity problem System State Domain
integrity problem when not checked API must be used with level 40
integrity User State Domain problem User State Domain intentionally no problem no journalling of activities level 50 enforces use of API in the user domain
AS/400 architecture & security 31
Special authorizations
LvR/VU MAR/2003
SPECIAL AUTHORIZATIONS
Within the AS/400 system there are definitions with a system wide authority scope. When a user is defined with a special authorization he/she is able to do
AUTHORIZED TO DO
access every system resource create / change user profiles save / restore manipulate jobs on the system all spool functions service functions audit related functions change system configuration
32
16
User classes
LvR/VU MAR/2003
SECO
FR
IOSYSCFG
R OP YS MR S PG
SECADM
JOBCTL SAVSYS
33
User classes . . .
LvR/VU MAR/2003
USER CLASSES
Special authorities can be grouped together. These grouping is called a USERCLASS class SECOFR SECADM SYSOPR PGMR USER authority
10/20
10/20
10/20
10/20 10/20
Note: 10/20 refer to the security level 10 and 20. When one of these is active, the ALLOBJ authority is assigned to this classes automaticly. The refers to security level 30, 40 and 50
AS/400 architecture & security 34
17
LvR/VU MAR/2003
Note: The passwords must be changed as soon as the system is IPLed for the first time, to prevent other users to sign on with these highly authorized userids
AS/400 architecture & security 35
User profile
LvR/VU MAR/2003
USER PROFILE
With security level 20 or higher, the user can only access the system if there is a user profile defined. A user profile can be created through a panel interface or by issuing the CRTUSRPRF command. The contents of the user-profile may be
18
Authentication
LvR/VU MAR/2003
AUTHENTICATION
System wide password syntax options
QPWDMINLEN QPWDMAXLEN QPWDRQDDIF QPWDLMTCHR QPWDPOSDIF QPWDLMTREP QPWDLMTAJC QPWDVLDPGM QPWDRQDDGT minimum length of password maximum length (up to 10 characters) new password must differ from 32 previous specify up to 10 characters not allowed for password character in new must be different from character in same position in old characters not be used more than once numbers 0 to 9 not next to another use password syntax checker at least one numeric maximum number of days the password is valid maximum number of unsuccessful sign-on attempts display date/time of last sign-on etc. after successful sign-on
37
Group profile
LvR/VU MAR/2003
GROUP PROFILE
A group profile has the same structure as a user profile: it becomes a group profile when it is named as a group in a user profile. The contents of the group profile may be
(for group) Accounting code (not relevant) Limited capability (not relevant)
19
Group structure
LvR/VU MAR/2003
GROUP STRUCTURE
Group profile Group profile GROUP A GROUP A Group profile Group profile GROUP B GROUP B
The groups are independent definitions and do not have any relation to one another A user can be a member of maximum 16 groups
AS/400 architecture & security 39
LvR/VU MAR/2003
AS/400 is object oriented: all stored information is contained in an object. There are 3 authority levels to control the header information This authority is specific for every user-object combination. The user may
AUTHORITY
!
40
20
LvR/VU MAR/2003
Prior to access the contents of the object, the user must have at least OBJOPR authority to the object. If so, data access can be controlled with five different levels
AUTHORITY
!
41 LvR/VU MAR/2003
Object authority
OBJECT AUTHORITY
The get access to the object the user needs at least access to the header information before he/she is allowed to access the data part of the object. To have access to the data the user needs in addition to the header access at least read access to the data part of the object. In this example all users have read access to the data. PUBLIC authority START SEARCH
OBJOPR READ
data
42
21
LvR/VU MAR/2003
ALL
SE
DLT
43
LvR/VU MAR/2003
EXCLUDE Access always denied LIBCRTAUT Access determined by the library where the object is USER DEF
registered Combination defined by the user
44
22
Public authorization
LvR/VU MAR/2003
PUBLIC AUTHORIZATION
When most of the users must have the same access authority to the object, this access authority is set into the object header. The authorization is called PUBLIC and is given to the object during creation
Object type Object type Owner Owner PUBLIC authority USE PUBLIC authority USE
All Users
Private authority
LvR/VU MAR/2003
PRIVATE AUTHORITY
When a specific user must have limited or higher access rights related to the public authority, the users access is administrated in his/her user profile extension header header user information user information list of owned objects list of owned objects LIST OF OBJECTS AUTHORIZED LIST OF OBJECTS AUTHORIZED TO ACCESS WITH THE AUTHORITY TO ACCESS WITH THE AUTHORITY OBJEXAMPLE CHANGE OBJEXAMPLE CHANGE Note: When there is a private access definition for the object, lower then the public authority, it will be marked in the object header
AS/400 architecture & security 46
Single User
23
Authorization list
LvR/VU MAR/2003
AUTHORIZATION LIST
Another possibility to control access is to create an authorization list. This list will be created when there are users or groups with different access rights to a group of objects An object can be connected to this authorization list The advantage of an authorization list is that it can be created prior to the creation of the object and it will not be deleted when an object is deleted When another object is created and it needs the same authorization scheme this newly created object can be connected to the same list
47
LvR/VU MAR/2003
AUTHORIZATION LIST (is an object) ALL ALL CHANGE CHANGE USE USE AUTLMGT AUTLMGT EXCLUDE EXCLUDE
The example above shows a list which can be used by an object to control its access rights. There is also defined a specific access control authorization called AUTLMGT. This gives the user (or group) the ability to maintain this authorization list Note: When the public authorization in the object specifies that the authority list will be used the entry PUBLIC will give the public authorization
AS/400 architecture & security 48
24
LvR/VU MAR/2003
ANJA ALL EDWIN CHANGE RONALD USE AUTLMGT LEEN PUBLIC EXCLUDE
Note: In this example the public authority is now used from the authorization list entry PUBLIC
AS/400 architecture & security 49
LvR/VU MAR/2003
25
Adopted security
LvR/VU MAR/2003
ADOPTED SECURITY
AS/400 security allows a user to adopt the access authorization of the owner of a program When a user is allowed to execute a program owned by another user, the authority can be adopted The user then has the same access authority to the objects as the owner of it ! d we LUDE llo DATA B23 EXC DATA B23 ta no
USE fo r BAS
User A
AS/400 architecture & security
LvR/VU MAR/2003
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
AS/400 architecture & security 52
26
LvR/VU MAR/2003
B2S
User A
AS/400 architecture & security
User B
User X
53
LvR/VU MAR/2003
ADOPTED SECURITY: another example User A has USE for program B2S EXCLUDE for data X24
Owner user B Owner user B PROGRAM B2S: call program X2U PROGRAM B2S: call program X2U
USE
Owner user X Owner user X PROGRAM X2U PROGRAM X2U
PROGRAM X2U has ALSO USE authority to DATA X24 Note: Adopted security is the only accumulated security within AS/400
AS/400 architecture & security 54
27
LvR/VU MAR/2003
Journaling
LvR/VU MAR/2003
JOURNALING
The journal entries can be selectively retrieved from the journal receiver. Sample object definitions are available for saving the different journal entry types AS/400 AS/400 SECURITY EVENT SECURITY EVENT Journal activated Journal activated with system value with system value QAUDJRN ((JRN) QAUDJRN JRN) Journal level activated Journal level activated with system values e.g. with system values e.g. AUTFAIL PGMFAIL AUTFAIL PGMFAIL Security officer Security officer Journal receiver Journal receiver USERRECV USERRECV
AS/400 architecture & security 56
28
LvR/VU MAR/2003
57
LvR/VU MAR/2003
PART X PART X ADDITIONAL INFORMATION ADDITIONAL INFORMATION ONLY FOR THE AS/400 AUDITOR ONLY FOR THE AS/400 AUDITOR
58
29
Limited users
LvR/VU MAR/2003
LIMITED USERS
Restrictions can be defined in the user profile, the so called limited capability (LMTCPB) Users can be limited to change the initial menu, initial program and current library. When a user does a sign on, the user profile definition may contain an initial menu to display or a program to execute. The signed on user can only use this menu structure or can only execute the defined program when limited capabilities = YES When a user is PARTIAL limited (also defined in the user-profile) the user may change the main menu and is allowed to issue commands from the command line
59
Library security
LvR/VU MAR/2003
LIBRARY SECURITY
To administrate the existence of the object a library is used. Libraries are also objects and to find the existence of an object the user needs at least USE access to the library to search for the objects described in it Give the public authority for the objects in the library as high as necessary and the public authority for the library EXCLUDE Authority for the library must be given to individual users
60
30
LvR/VU MAR/2003
LIBRARY A
Owner user A Owner user A Public authority EXCLUDE Public authority EXCLUDE OBJECT A OBJECT A OBJECT B OBJECT B OBJECT C OBJECT C etc. etc.
LvR/VU MAR/2003
62
31
LvR/VU MAR/2003
FILE P Public authority NONE Public authority NONE Data Descr. Spec. Data Descr. Spec. RECORDS RECORDS FIELDS FIELDS DATA DATA
Authority holder
LvR/VU MAR/2003
AUTHORITY HOLDER
AS/400 gives the opportunity to setup an object authority before the creation of an object. This mechanisme is called an authority holder. The authority holder is a dummy object header containing all header information of an object. It will be connected to the objects data part when the data is created AUTHORITY HOLDER Public authority USE Object header created in advance
64
32
Adopted security
LvR/VU MAR/2003
User A has EXCLUDE for data B23 USE for program BAS
DATA B23 DATA B23 Owner user B Owner user B Public authority USE Public authority USE PROGRAM BAS: Adopting authority PROGRAM BAS: Adopting authority active active
Note: In this example, user B has access authority of ALL to the object with data B23. User A can only access it through the program BAS
AS/400 architecture & security 65
LvR/VU MAR/2003
If Library A is placed in front of Library B, program A is found in the other library which can result in the execution of a controlled program and give unpredicted results like a security breach Library A containing program A Library A containing program A Library B containing program A and program B Library B containing program A and program B
66
33
LvR/VU MAR/2003
ADOPTED SECURITY
To eliminate the possibility to use the library sequence the program call should supply the library name by using the qualified name in the CALL command CALL Lib (B)/PROGRAM(A) Program A will only be used from lib B Another way to eliminate this security problem is not to call the program, but to transfer control (TFRCTL) to program A With TFRCTL program A will not adopt the authorization of user B. This can only be done when appropriate for the program logic flow
67
Journaling
LvR/VU MAR/2003
JOURNALING
To activate journaling the security officer must create the QSYS/QAUDJRN journal and a journal receiver. The journal located in the system library, acts as an intermediary The journal receiver is the object that will hold journal entries and can be defined by the security officer using his/her own naming conventions The journal is created with the following commands CRTJRN JRN(QAUDJRN) LIB(QSYS) QAUDJRN(JRN) QAUDLVL(AUTFAIL PGMFAIL) JRNRCV(USERRECV) To set the level of journaling the system value QAUDLVL must be set. Possible values are
34